Polygon based interactive security visualization of network entity data

ABSTRACT

Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization. Generating the visualization data includes assigning each entity to a separate polygon to be displayed concurrently on a display screen; selecting a size of each polygon to indicate one of: a number of security related anomalies associated with the entity, or a risk level assigned to the entity, where the risk level is based on the risk score of the entity, and selecting a color of each polygon to indicate the other one of: the number of security related anomalies associated with the entity, or the risk level assigned to the entity; and causing, the color-coded interactive visualization to be displayed on a display device based on the visualization data.

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever

RELATED APPLICATIONS

Any and all applications for which a foreign or domestic priority claimis identified in the Application Data Sheet as filed with the presentapplication are incorporated by reference under 37 CFR 1.57 and made apart of this specification.

BACKGROUND

Information technology (IT) environments can include diverse types ofdata systems that store large amounts of diverse data types generated bynumerous devices. For example, a big data ecosystem may includedatabases such as MySQL and Oracle databases, cloud computing servicessuch as Amazon web services (AWS), and other data systems that storepassively or actively generated data, including machine-generated data(“machine data”). The machine data can include log data, performancedata, diagnostic data, metrics, tracing data, or any other data that canbe analyzed to diagnose equipment performance problems, monitor userinteractions, and to derive other insights.

The large amount and diversity of data systems containing large amountsof structured, semi-structured, and unstructured data relevant to anysearch query can be massive, and continues to grow rapidly. Thistechnological evolution can give rise to various challenges in relationto managing, understanding and effectively utilizing the data. To reducethe potentially vast amount of data that may be generated, some datasystems pre-process data based on anticipated data analysis needs. Inparticular, specified data items may be extracted from the generateddata and stored in a data system to facilitate efficient retrieval andanalysis of those data items at a later time. At least some of theremainder of the generated data is typically discarded duringpre-processing.

However, storing massive quantities of minimally processed orunprocessed data (collectively and individually referred to as “rawdata”) for later retrieval and analysis is becoming increasingly morefeasible as storage capacity becomes more inexpensive and plentiful. Ingeneral, storing raw data and performing analysis on that data later canprovide greater flexibility because it enables an analyst to analyze allof the generated data instead of only a fraction of it. Although theavailability of vastly greater amounts of diverse data on diverse datasystems provides opportunities to derive new insights, it also givesrise to technical challenges to search and analyze the data in aperformant way.

BRIEF DESCRIPTION OF THE DRAWINGS

Illustrative examples are described in detail below with reference tothe following figures:

FIG. 1 is a block diagram of an embodiment of a data processingenvironment.

FIG. 2 is a flow diagram illustrating an embodiment of a routineimplemented by the data intake and query system to process, index, andstore data.

FIG. 3A is a block diagram illustrating an embodiment of machine datareceived by the data intake and query system.

FIGS. 3B and 3C are block diagrams illustrating embodiments of variousdata structures for storing data processed by the data intake and querysystem.

FIG. 4A is a flow diagram illustrating an embodiment of a routineimplemented by the query system to execute a query.

FIG. 4B provides a visual representation of the manner in which apipelined command language or query can operate

FIG. 4C is a block diagram illustrating an embodiment of a configurationfile that includes various extraction rules that can be applied toevents.

FIG. 4D is a block diagram illustrating an example scenario where acommon customer identifier is found among log data received fromdisparate data sources.

FIG. 5 illustrates an example of a network environment that includes asecurity application to facilitate monitoring and analysis of networksecurity issues.

FIG. 6 shows an example of an overall process that may be performed bythe security application to generate an interactive visualization ofsecurity related data.

FIG. 7 shows an example of a display screen that may be generated by thesecurity application, including a treemap display of network entities.

FIG. 8 shows the display screen of FIG. 7 , with a control for selectingthe maximum number of displayed entities activated.

FIG. 9 shows the display screen of FIG. 7 , with a control for selectinga time period activated.

FIG. 10 shows the display screen of FIG. 7 , with a control forselecting displayed risk levels activated.

FIG. 11 shows a dialog window containing additional filtering optionsassociated with the display screen of FIG. 7 .

FIG. 12 shows an example of an entity details display.

FIG. 13 shows the display of FIG. 12 , with a control for generatingreports or changing compute score activated.

FIG. 14 shows the display of FIG. 12 , with a control for selecting thecurrent time period activated.

DETAILED DESCRIPTION

Modern data centers and other computing environments can compriseanywhere from a few host computer systems to thousands of systemsconfigured to process data, service requests from remote clients, andperform numerous other computational tasks. During operation, variouscomponents within these computing environments often generatesignificant volumes of machine data. Machine data is any data producedby a machine or component in an information technology (IT) environmentand that reflects activity in the IT environment. For example, machinedata can be raw machine data that is generated by various components inIT environments, such as servers, sensors, routers, mobile devices,Internet of Things (IoT) devices, etc. Machine data can include systemlogs, network packet data, sensor data, application program data, errorlogs, stack traces, system performance data, etc. In general, machinedata can also include performance data, diagnostic information, and manyother types of data that can be analyzed to diagnose performanceproblems, monitor user interactions, and to derive other insights.

A number of tools are available to analyze machine data. In order toreduce the size of the potentially vast amount of machine data that maybe generated, many of these tools typically pre-process the data basedon anticipated data-analysis needs. For example, pre-specified dataitems may be extracted from the machine data and stored in a database tofacilitate efficient retrieval and analysis of those data items atsearch time. However, the rest of the machine data typically is notsaved and is discarded during pre-processing. As storage capacitybecomes progressively cheaper and more plentiful, there are fewerincentives to discard these portions of machine data and many reasons toretain more of the data.

This plentiful storage capacity is presently making it feasible to storemassive quantities of minimally processed machine data for laterretrieval and analysis. In general, storing minimally processed machinedata and performing analysis operations at search time can providegreater flexibility because it enables an analyst to search all of themachine data, instead of searching only a pre-specified set of dataitems. This may enable an analyst to investigate different aspects ofthe machine data that previously were unavailable for analysis.

However, analyzing and searching massive quantities of machine datapresents a number of challenges. For example, a data center, servers, ornetwork appliances may generate many different types and formats ofmachine data (e.g., system logs, network packet data (e.g., wire data,etc.), sensor data, application program data, error logs, stack traces,system performance data, operating system data, virtualization data,etc.) from thousands of different components, which can collectively bevery time-consuming to analyze. In another example, mobile devices maygenerate large amounts of information relating to data accesses,application performance, operating system performance, networkperformance, etc. There can be millions of mobile devices thatconcurrently report these types of information.

These challenges can be addressed by using an event-based data intakeand query system, such as the SPLUNK® ENTERPRISE, SPLUNK® CLOUD, orSPLUNK® CLOUD SERVICE system developed by Splunk Inc. of San Francisco,Calif. These systems represent the leading platform for providingreal-time operational intelligence that enables organizations tocollect, index, and search machine data from various websites,applications, servers, networks, and mobile devices that power theirbusinesses. The data intake and query system is particularly useful foranalyzing data which is commonly found in system log files, networkdata, metrics data, tracing data, and other data input sources.

In the data intake and query system, machine data is collected andstored as “events.” An event comprises a portion of machine data and isassociated with a specific point in time. The portion of machine datamay reflect activity in an IT environment and may be produced by acomponent of that IT environment, where the events may be searched toprovide insight into the IT environment, thereby improving theperformance of components in the IT environment. Events may be derivedfrom “time series data,” where the time series data comprises a sequenceof data points (e.g., performance measurements from a computer system,etc.) that are associated with successive points in time. In general,each event has a portion of machine data that is associated with atimestamp. The time stamp may be derived from the portion of machinedata in the event, determined through interpolation between temporallyproximate events having known timestamps, and/or may be determined basedon other configurable rules for associating timestamps with events.

In some instances, machine data can have a predefined structure, wheredata items with specific data formats are stored at predefined locationsin the data. For example, the machine data may include data associatedwith fields in a database table. In other instances, machine data maynot have a predefined structure (e.g., may not be at fixed, predefinedlocations), but may have repeatable (e.g., non-random) patterns. Thismeans that some machine data can comprise various data items ofdifferent data types that may be stored at different locations withinthe data. For example, when the data source is an operating system log,an event can include one or more lines from the operating system logcontaining machine data that includes different types of performance anddiagnostic information associated with a specific point in time (e.g., atimestamp).

Examples of components which may generate machine data from which eventscan be derived include, but are not limited to, web servers, applicationservers, databases, firewalls, routers, operating systems, and softwareapplications that execute on computer systems, mobile devices, sensors,Internet of Things (IoT) devices, etc. The machine data generated bysuch data sources can include, for example and without limitation,server log files, activity log files, configuration files, messages,network packet data, performance measurements, sensor measurements, etc.

The data intake and query system can use flexible schema to specify howto extract information from events. A flexible schema may be developedand redefined as needed. The flexible schema can be applied to events“on the fly,” when it is needed (e.g., at search time, index time,ingestion time, etc.). When the schema is not applied to events untilsearch time, the schema may be referred to as a “late-binding schema.”

During operation, the data intake and query system receives machine datafrom any type and number of sources (e.g., one or more system logs,streams of network packet data, sensor data, application program data,error logs, stack traces, system performance data, etc.). The systemparses the machine data to produce events each having a portion ofmachine data associated with a timestamp, and stores the events. Thesystem enables users to run queries against the stored events to, forexample, retrieve events that meet filter criteria specified in a query,such as criteria indicating certain keywords or having specific valuesin defined fields. Additional query terms can further process the eventdata, such as, by transforming the data, etc.

As used herein, the term “field” can refer to a location in the machinedata of an event containing one or more values for a specific data item.A field may be referenced by a field name associated with the field. Aswill be described in more detail herein, in some cases, a field isdefined by an extraction rule (e.g., a regular expression) that derivesone or more values or a sub-portion of text from the portion of machinedata in each event to produce a value for the field for that event. Theset of values produced are semantically-related (such as IP address),even though the machine data in each event may be in different formats(e.g., semantically-related values may be in different positions in theevents derived from different sources).

As described above, the system stores the events in a data store. Theevents stored in the data store are field-searchable, wherefield-searchable herein refers to the ability to search the machine data(e.g., the raw machine data) of an event based on a field specified insearch criteria. For example, a search having criteria that specifies afield name “UserID” may cause the system to field-search the machinedata of events to identify events that have the field name “UserID.” Inanother example, a search having criteria that specifies a field name“UserID” with a corresponding field value “12345” may cause the systemto field-search the machine data of events to identify events havingthat field-value pair (e.g., field name “UserID” with a correspondingfield value of “12345”). Events are field-searchable using one or moreconfiguration files associated with the events. Each configuration filecan include one or more field names, where each field name is associatedwith a corresponding extraction rule and a set of events to which thatextraction rule applies. The set of events to which an extraction ruleapplies may be identified by metadata associated with the set of events.For example, an extraction rule may apply to a set of events that areeach associated with a particular host, source, or sourcetype. Whenevents are to be searched based on a particular field name specified ina search, the system can use one or more configuration files todetermine whether there is an extraction rule for that particular fieldname that applies to each event that falls within the criteria of thesearch. If so, the event is considered as part of the search results(and additional processing may be performed on that event based oncriteria specified in the search). If not, the next event is similarlyanalyzed, and so on.

As noted above, the data intake and query system can utilize alate-binding schema while performing queries on events. One aspect of alate-binding schema is applying extraction rules to events to extractvalues for specific fields during search time. More specifically, theextraction rule for a field can include one or more instructions thatspecify how to extract a value for the field from an event. Anextraction rule can generally include any type of instruction forextracting values from machine data or events. In some cases, anextraction rule comprises a regular expression, where a sequence ofcharacters form a search pattern. An extraction rule comprising aregular expression is referred to herein as a regex rule. The systemapplies a regex rule to machine data or an event to extract values for afield associated with the regex rule, where the values are extracted bysearching the machine data/event for the sequence of characters definedin the regex rule.

In the data intake and query system, a field extractor may be configuredto automatically generate extraction rules for certain fields in theevents when the events are being created, indexed, or stored, orpossibly at a later time. Alternatively, a user may manually defineextraction rules for fields using a variety of techniques. In contrastto a conventional schema for a database system, a late-binding schema isnot defined at data ingestion time. Instead, the late-binding schema canbe developed on an ongoing basis until the time a query is actuallyexecuted. This means that extraction rules for the fields specified in aquery may be provided in the query itself, or may be located duringexecution of the query. Hence, as a user learns more about the data inthe events, the user can continue to refine the late-binding schema byadding new fields, deleting fields, or modifying the field extractionrules for use the next time the schema is used by the system. Becausethe data intake and query system maintains the underlying machine dataand uses a late-binding schema for searching the machine data, itenables a user to continue investigating and learn valuable insightsabout the machine data.

In some embodiments, a common field name may be used to reference two ormore fields containing equivalent and/or similar data items, even thoughthe fields may be associated with different types of events thatpossibly have different data formats and different extraction rules. Byenabling a common field name to be used to identify equivalent and/orsimilar fields from different types of events generated by disparatedata sources, the system facilitates use of a “common information model”(CIM) across the disparate data sources.

In some embodiments, the configuration files and/or extraction rulesdescribed above can be stored in a catalog, such as a metadata catalog.In certain embodiments, the content of the extraction rules can bestored as rules or actions in the metadata catalog. For example, theidentification of the data to which the extraction rule applies can bereferred to a rule and the processing of the data can be referred to asan action.

1.0. Operating Environment

FIG. 1 is a block diagram of an embodiment of a data processingenvironment 100. In the illustrated embodiment, the environment 100includes a data intake and query system 102, one or more host devices104, and one or more client computing devices 106 (generically referredto as client device(s) 106).

The data intake and query system 102, host devices 104, and clientdevices 106 can communicate with each other via one or more networks,such as a local area network (LAN), wide area network (WAN), private orpersonal network, cellular networks, intranetworks, and/or internetworksusing any of wired, wireless, terrestrial microwave, satellite links,etc., and may include the Internet. Although not explicitly shown inFIG. 1 , it will be understood that a client computing device 106 cancommunicate with a host device 104 via one or more networks. Forexample, if the host device 104 is configured as a web server and theclient computing device 106 is a laptop, the laptop can communicate withthe web server to view a website.

A client device 106 can correspond to a distinct computing device thatcan configure, manage, or sends queries to the system 102. Examples ofclient devices 106 may include, without limitation, smart phones, tabletcomputers, handheld computers, wearable devices, laptop computers,desktop computers, servers, portable media players, gaming devices, orother device that includes computer hardware (e.g., processors,non-transitory, computer-readable media, etc.) and so forth. In certaincases, a client device 106 can include a hosted, virtualized, orcontainerized device, such as an isolated execution environment, thatshares computing resources (e.g., processor, memory, etc.) of aparticular machine with other isolated execution environments.

The client devices 106 can interact with the system 102 (or a hostdevice 104) in a variety of ways. For example, the client devices 106can communicate with the system 102 (or a host device 104) over anInternet (Web) protocol, via a gateway, via a command line interface,via a software developer kit (SDK), a standalone application, etc. Asanother example, the client devices 106 can use one or more executableapplications or programs to interface with the system 102.

A host device 104 can correspond to a distinct computing device orsystem that includes or has access to data that can be ingested,indexed, and/or searched by the system 102. Accordingly, in some cases,a client device 106 may also be a host device 104 (e.g., it can includedata that is ingested by the system 102 and it can submit queries to thesystem 102). The host devices 104 can include, but are not limited to,servers, sensors, routers, personal computers, mobile devices, internetof things (IOT) devices, or hosting devices, such as computing devicesin a shared computing resource environment on which multiple isolatedexecution environment (e.g., virtual machines, containers, etc.) can beinstantiated, or other computing devices in an IT environment (e.g.,device that includes computer hardware, e.g., processors,non-transitory, computer-readable media, etc.). In certain cases, a hostdevice 104 can include a hosted, virtualized, or containerized device,such as an isolated execution environment, that shares computingresources (e.g., processor, memory, etc.) of a particular machine (e.g.,a hosting device or hosting machine) with other isolated executionenvironments.

As mentioned host devices 104 can include or have access to data sourcesfor the system 102. The data sources can include machine data found inlog files, data files, distributed file systems, streaming data,publication-subscribe (pub/sub) buffers, directories of files, data sentover a network, event logs, registries, streaming data services(examples of which can include, by way of non-limiting example, Amazon'sSimple Queue Service (“SQS”) or Kinesis™ services, devices executingApache Kafka™ software, or devices implementing the Message QueueTelemetry Transport (MQTT) protocol, Microsoft Azure EventHub, GoogleCloud Pub Sub, devices implementing the Java Message Service (JMS)protocol, devices implementing the Advanced Message Queuing Protocol(AMQP)), cloud-based services (e.g., AWS, Microsoft Azure, Google Cloud,etc.), operating-system-level virtualization environments (e.g.,Docker), container orchestration systems (e.g., Kubernetes), virtualmachines using full virtualization or paravirtualization, or othervirtualization technique or isolated execution environments.

In some cases, one or more applications executing on a host device maygenerate various types of machine data during operation. For example, aweb server application executing on a host device 104 may generate oneor more web server logs detailing interactions between the web serverand any number of client devices 106 or other devices. As anotherexample, a host device 104 implemented as a router may generate one ormore router logs that record information related to network trafficmanaged by the router. As yet another example, a database serverapplication executing on a host device 104 may generate one or more logsthat record information related to requests sent from other devices(e.g., web servers, application servers, client devices, etc.) for datamanaged by the database server. Similarly, a host device 104 maygenerate and/or store computing resource utilization metrics, such as,but not limited to, CPU utilization, memory utilization, number ofprocesses being executed, etc. Any one or any combination of the filesor data generated in such cases can be used as a data source for thesystem 102.

In some embodiments, an application may include a monitoring componentthat facilitates generating performance data related to host device'soperating state, including monitoring network traffic sent and receivedfrom the host device and collecting other device and/orapplication-specific information. A monitoring component may be anintegrated component of the application, a plug-in, an extension, or anyother type of add-on component, or a stand-alone process.

Such monitored information may include, but is not limited to, networkperformance data (e.g., a URL requested, a connection type (e.g., HTTP,HTTPS, etc.), a connection start time, a connection end time, an HTTPstatus code, request length, response length, request headers, responseheaders, connection status (e.g., completion, response time(s), failure,etc.)) or device performance information (e.g., current wireless signalstrength of the device, a current connection type and network carrier,current memory performance information, processor utilization, memoryutilization, a geographic location of the device, a device orientation,and any other information related to the operational state of the hostdevice, etc.), device profile information (e.g., a type of clientdevice, a manufacturer, and model of the device, versions of varioussoftware applications installed on the device, etc.) In some cases, themonitoring component can collect device performance information bymonitoring one or more host device operations, or by making calls to anoperating system and/or one or more other applications executing on ahost device for performance information. The monitored information maybe stored in one or more files and/or streamed to the system 102.

In general, a monitoring component may be configured to generateperformance data in response to a monitor trigger in the code of aclient application or other triggering application event, as describedabove, and to store the performance data in one or more data records.Each data record, for example, may include a collection of field-valuepairs, each field-value pair storing a particular item of performancedata in association with a field for the item. For example, a datarecord generated by a monitoring component may include a“networkLatency” field (not shown in the Figure) in which a value isstored. This field indicates a network latency measurement associatedwith one or more network requests. The data record may include a “state”field to store a value indicating a state of a network connection, andso forth for any number of aspects of collected performance data.

In some embodiments, such as in a shared computing resource environment(or hosted environment), a host device 104 may include logs or machinedata generated by an application executing within an isolated executionenvironment (e.g., web server log file if the isolated executionenvironment is configured as a web server or database server log filesif the isolated execution environment is configured as database server,etc.), machine data associated with the computing resources assigned tothe isolated execution environment (e.g., CPU utilization of the portionof the CPU allocated to the isolated execution environment, memoryutilization of the portion of the memory allocated to the isolatedexecution environment, etc.), logs or machine data generated by anapplication that enables the isolated execution environment to shareresources with other isolated execution environments (e.g., logsgenerated by a Docker manager or Kubernetes manager executing on thehost device 104), and/or machine data generated by monitoring thecomputing resources of the host device 104 (e.g., CPU utilization,memory utilization, etc.) that are shared between the isolated executionenvironments. Given the separation (and isolation) between isolatedexecution environments executing on a common computing device, incertain embodiments, each isolated execution environment may be treatedas a separate host device 104 even if they are, in fact, executing onthe same computing device or hosting device.

Accordingly, as used herein, obtaining data from a data source may referto communicating with a host device 104 to obtain data from the hostdevice 104 (e.g., from one or more data source files, data streams,directories on the host device 104, etc.). For example, obtaining datafrom a data source may refer to requesting data from a host device 104and/or receiving data from a host device 104. In some such cases, thehost device 104 can retrieve and return the requested data from aparticular data source and/or the system 102 can retrieve the data froma particular data source of the host device 104 (e.g., from a particularfile stored on a host device 104).

The data intake and query system 102 can ingest, index, and/or storedata from heterogeneous data sources and/or host devices 104. Forexample, the system 102 can ingest, index, and/or store any type ofmachine data, regardless of the form of the machine data or whether themachine data matches or is similar to other machine data ingested,indexed, and/or stored by the system 102. In some cases, the system 102can generate events from the received data, group the events, and storethe events in buckets. The system 102 can also search heterogeneous datathat it has stored or search data stored by other systems (e.g., othersystem 102 systems or other non-system 102 systems). For example, inresponse to received queries, the system 102 can assign one or morecomponents to search events stored in the storage system or search datastored elsewhere.

As will be described herein in greater detail below, the system 102 canuse one or more components to ingest, index, store, and/or search data.In some embodiments, the system 102 is implemented as a distributedsystem that uses multiple components to perform its various functions.For example, the system 102 can include any one or any combination of anintake system 110 (including one or more components) to ingest data, anindexing system 112 (including one or more components) to index thedata, a storage system 116 (including one or more components) to storethe data, and/or a query system 114 (including one or more components)to search the data, etc.

In the illustrated embodiment, the system 102 is shown having foursubsystems 110, 112, 114, 116. However, it will be understood that thesystem 102 may include any one or any combination of the intake system110, indexing system 112, query system 114, or storage system 116.Further, in certain embodiments, one or more of the intake system 110,indexing system 112, query system 114, or storage system 116 may be usedalone or apart from the system 102. For example, the intake system 110may be used alone to glean information from streaming data that is notindexed or stored by the system 102, or the query system 114 may be usedto search data that is unaffiliated with the system 102.

In certain embodiments, the components of the different systems may bedistinct from each other or there may be some overlap. For example, onecomponent of the system 102 may include some indexing functionality andsome searching functionality and thus be used as part of the indexingsystem 112 and query system 114, while another computing device of thesystem 102 may only have ingesting or search functionality and only beused as part of those respective systems. Similarly, the components ofthe storage system 116 may include data stores of individual componentsof the indexing system and/or may be a separate shared data storagesystem, like Amazon S3, that is accessible to distinct components of theintake system 110, indexing system 112, and query system 114.

In some cases, the components of the system 102 are implemented asdistinct computing devices having their own computer hardware (e.g.,processors, non-transitory, computer-readable media, etc.) and/or asdistinct hosted devices (e.g., isolated execution environments) thatshare computing resources or hardware in a shared computing resourceenvironment.

For simplicity, references made herein to the intake system 110,indexing system 112, storage system 116, and query system 114 can referto those components used for ingesting, indexing, storing, andsearching, respectively. However, it will be understood that althoughreference is made to two separate systems, the same underlying componentmay be performing the functions for the two different systems. Forexample, reference to the indexing system indexing data and storing thedata in the storage system 116 or the query system searching the datamay refer to the same component (e.g., same computing device or hosteddevice) indexing the data, storing the data, and then searching the datathat it stored.

As will be described in greater detail herein, the intake system 110 canreceive data from the host devices 104 or data sources, perform one ormore preliminary processing operations on the data, and communicate thedata to the indexing system 112, query system 114, storage system 116,or to other systems (which may include, for example, data processingsystems, telemetry systems, real-time analytics systems, data stores,databases, etc., any of which may be operated by an operator of thesystem 102 or a third party). Given the amount of data that can beingested by the intake system 110, in some embodiments, the intakesystem can include multiple distributed computing devices or componentsworking concurrently to ingest the data.

The intake system 110 can receive data from the host devices 104 in avariety of formats or structures. In some embodiments, the received datacorresponds to raw machine data, structured or unstructured data,correlation data, data files, directories of files, data sent over anetwork, event logs, registries, messages published to streaming datasources, performance metrics, sensor data, image and video data, etc.

The preliminary processing operations performed by the intake system 110can include, but is not limited to, associating metadata with the datareceived from a host device 104, extracting a timestamp from the data,identifying individual events within the data, extracting a subset ofmachine data for transmittal to the indexing system 112, enriching thedata, etc. As part of communicating the data to the indexing system, theintake system 110 can route the data to a particular component of theintake system 110 or dynamically route the data based on load-balancing,etc. In certain cases, one or more components of the intake system 110can be installed on a host device 104.

1.4.2. Indexing System Overview

As will be described in greater detail herein, the indexing system 112can include one or more components (e.g., indexing nodes) to process thedata and store it, for example, in the storage system 116. As part ofprocessing the data, the indexing system can identify distinct eventswithin the data, timestamps associated with the data, organize the datainto buckets or time series buckets, convert editable buckets tonon-editable buckets, store copies of the buckets in the storage system116, merge buckets, generate indexes of the data, etc. In addition, theindexing system 112 can update various catalogs or databases withinformation related to the buckets (pre-merged or merged) or data thatis stored in the storage system 116, and can communicate with the intakesystem 110 about the status of the data storage.

As will be described in greater detail herein, the query system 114 caninclude one or more components to receive, process, and execute queries.In some cases, the query system 114 can use the same component toprocess and execute the query or use one or more components to receiveand process the query (e.g., a search head) and use one or more othercomponents to execute at least a portion of the query (e.g., searchnodes). In some cases, a search node and an indexing node may refer tothe same computing device or hosted device performing differentfunctions. In certain cases, a search node can be a separate computingdevice or hosted device from an indexing node.

Queries received by the query system 114 can be relatively complex andidentify a set of data to be processed and a manner of processing theset of data from one or more client devices 106. In certain cases, thequery can be implemented using a pipelined command language or otherquery language. As described herein, in some cases, the query system 114can execute parts of the query in a distributed fashion (e.g., one ormore mapping phases or parts associated with identifying and gatheringthe set of data identified in the query) and execute other parts of thequery on a single component (e.g., one or more reduction phases).However, it will be understood that in some cases multiple componentscan be used in the map and/or reduce functions of the query execution.

In some cases, as part of executing the query, the query system 114 canuse one or more catalogs or databases to identify the set of data to beprocessed or its location in the storage system 116 and/or can retrievedata from the storage system 116. In addition, in some embodiments, thequery system 114 can store some or all of the query results in thestorage system 116.

In some cases, the storage system 116 may include one or more datastores associated with or coupled to the components of the indexingsystem 112 that are accessible via a system bus or local area network.In certain embodiments, the storage system 116 may be a shared storagesystem 116, like Amazon S3 or Google Cloud Storage, that are accessiblevia a wide area network.

As mentioned and as will be described in greater detail below, thestorage system 116 can be made up of one or more data stores storingdata that has been processed by the indexing system 112. In some cases,the storage system includes data stores of the components of theindexing system 112 and/or query system 114. In certain embodiments, thestorage system 116 can be implemented as a shared storage system 116.The shared storage system 116 can be configured to provide highavailability, highly resilient, low loss data storage. In some cases, toprovide the high availability, highly resilient, low loss data storage,the shared storage system 116 can store multiple copies of the data inthe same and different geographic locations and across different typesof data stores (e.g., solid state, hard drive, tape, etc.). Further, asdata is received at the shared storage system 116 it can beautomatically replicated multiple times according to a replicationfactor to different data stores across the same and/or differentgeographic locations. In some embodiments, the shared storage system 116can correspond to cloud storage, such as Amazon Simple Storage Service(S3) or Elastic Block Storage (EBS), Google Cloud Storage, MicrosoftAzure Storage, etc.

In some embodiments, indexing system 112 can read to and write from theshared storage system 116. For example, the indexing system 112 can copybuckets of data from its local or shared data stores to the sharedstorage system 116. In certain embodiments, the query system 114 canread from, but cannot write to, the shared storage system 116. Forexample, the query system 114 can read the buckets of data stored inshared storage system 116 by the indexing system 112, but may not beable to copy buckets or other data to the shared storage system 116. Insome embodiments, the intake system 110 does not have access to theshared storage system 116. However, in some embodiments, one or morecomponents of the intake system 110 can write data to the shared storagesystem 116 that can be read by the indexing system 112.

As described herein, in some embodiments, data in the system 102 (e.g.,in the data stores of the components of the indexing system 112, sharedstorage system 116, or search nodes of the query system 114) can bestored in one or more time series buckets. Each bucket can include rawmachine data associated with a timestamp and additional informationabout the data or bucket, such as, but not limited to, one or morefilters, indexes (e.g., TSIDX, inverted indexes, keyword indexes, etc.),bucket summaries, etc. In some embodiments, the bucket data andinformation about the bucket data is stored in one or more files. Forexample, the raw machine data, filters, indexes, bucket summaries, etc.can be stored in respective files in or associated with a bucket. Incertain cases, the group of files can be associated together to form thebucket.

The system 102 can include additional components that interact with anyone or any combination of the intake system 110, indexing system 112,query system 114, and/or storage system 116. Such components mayinclude, but are not limited to an authentication system, orchestrationsystem, one or more catalogs or databases, a gateway, etc.

An authentication system can include one or more components toauthenticate users to access, use, and/or configure the system 102.Similarly, the authentication system can be used to restrict what aparticular user can do on the system 102 and/or what components or dataa user can access, etc.

An orchestration system can include one or more components to manageand/or monitor the various components of the system 102. In someembodiments, the orchestration system can monitor the components of thesystem 102 to detect when one or more components has failed or isunavailable and enable the system 102 to recover from the failure (e.g.,by adding additional components, fixing the failed component, or havingother components complete the tasks assigned to the failed component).In certain cases, the orchestration system can determine when to addcomponents to or remove components from a particular system 110, 112,114, 116 (e.g., based on usage, user/tenant requests, etc.). Inembodiments where the system 102 is implemented in a shared computingresource environment, the orchestration system can facilitate thecreation and/or destruction of isolated execution environments orinstances of the components of the system 102, etc.

In certain embodiments, the system 102 can include various componentsthat enable it to provide stateless services or enable it to recoverfrom an unavailable or unresponsive component without data loss in atime efficient manner. For example, the system 102 can store contextualinformation about its various components in a distributed way such thatif one of the components becomes unresponsive or unavailable, the system102 can replace the unavailable component with a different component andprovide the replacement component with the contextual information. Inthis way, the system 102 can quickly recover from an unresponsive orunavailable component while reducing or eliminating the loss of datathat was being processed by the unavailable component.

In some embodiments, the system 102 can store the contextual informationin a catalog, as described herein. In certain embodiments, thecontextual information can correspond to information that the system 102has determined or learned based on use. In some cases, the contextualinformation can be stored as annotations (manual annotations and/orsystem annotations), as described herein.

In certain embodiments, the system 102 can include an additional catalogthat monitors the location and storage of data in the storage system 116to facilitate efficient access of the data during search time. Incertain embodiments, such a catalog may form part of the storage system116.

In some embodiments, the system 102 can include a gateway or othermechanism to interact with external devices or to facilitatecommunications between components of the system 102. In someembodiments, the gateway can be implemented using an applicationprogramming interface (API). In certain embodiments, the gateway can beimplemented using a representational state transfer API (REST API).

In some environments, a user of a system 102 may install and configure,on computing devices owned and operated by the user, one or moresoftware applications that implement some or all of the components ofthe system 102. For example, with reference to FIG. 1 , a user mayinstall a software application on server computers owned by the user andconfigure each server to operate as one or more components of the intakesystem 110, indexing system 112, query system 114, shared storage system116, or other components of the system 102. This arrangement generallymay be referred to as an “on-premises” solution. That is, the system 102is installed and operates on computing devices directly controlled bythe user of the system 102. Some users may prefer an on-premisessolution because it may provide a greater level of control over theconfiguration of certain aspects of the system (e.g., security, privacy,standards, controls, etc.). However, other users may instead prefer anarrangement in which the user is not directly responsible for providingand managing the computing devices upon which various components ofsystem 102 operate.

In certain embodiments, one or more of the components of the system 102can be implemented in a shared computing resource environment. In thiscontext, a shared computing resource environment or cloud-based servicecan refer to a service hosted by one more computing resources that areaccessible to end users over a network, for example, by using a webbrowser or other application on a client device to interface with theremote computing resources. For example, a service provider may providea system 102 by managing computing resources configured to implementvarious aspects of the system (e.g., intake system 110, indexing system112, query system 114, shared storage system 116, other components,etc.) and by providing access to the system to end users via a network.Typically, a user may pay a subscription or other fee to use such aservice. Each subscribing user of the cloud-based service may beprovided with an account that enables the user to configure a customizedcloud-based system based on the user's preferences.

When implemented in a shared computing resource environment, theunderlying hardware (non-limiting examples: processors, hard drives,solid-state memory, RAM, etc.) on which the components of the system 102execute can be shared by multiple customers or tenants as part of theshared computing resource environment. In addition, when implemented ina shared computing resource environment as a cloud-based service,various components of the system 102 can be implemented usingcontainerization or operating-system-level virtualization, or othervirtualization technique. For example, one or more components of theintake system 110, indexing system 112, or query system 114 can beimplemented as separate software containers or container instances. Eachcontainer instance can have certain computing resources (e.g., memory,processor, etc.) of an underlying hosting computing system (e.g.,server, microprocessor, etc.) assigned to it, but may share the sameoperating system and may use the operating system's system callinterface. Each container may provide an isolated execution environmenton the host system, such as by providing a memory space of the hostingsystem that is logically isolated from memory space of other containers.Further, each container may run the same or different computerapplications concurrently or separately, and may interact with eachother. Although reference is made herein to containerization andcontainer instances, it will be understood that other virtualizationtechniques can be used. For example, the components can be implementedusing virtual machines using full virtualization or paravirtualization,etc. Thus, where reference is made to “containerized” components, itshould be understood that such components may additionally oralternatively be implemented in other isolated execution environments,such as a virtual machine environment.

Implementing the system 102 in a shared computing resource environmentcan provide a number of benefits. In some cases, implementing the system102 in a shared computing resource environment can make it easier toinstall, maintain, and update the components of the system 102. Forexample, rather than accessing designated hardware at a particularlocation to install or provide a component of the system 102, acomponent can be remotely instantiated or updated as desired. Similarly,implementing the system 102 in a shared computing resource environmentor as a cloud-based service can make it easier to meet dynamic demand.For example, if the system 102 experiences significant load at indexingor search, additional compute resources can be deployed to process theadditional data or queries. In an “on-premises” environment, this typeof flexibility and scalability may not be possible or feasible.

In addition, by implementing the system 102 in a shared computingresource environment or as a cloud-based service can improve computeresource utilization. For example, in an on-premises environment if thedesignated compute resources are not being used by, they may sit idleand unused. In a shared computing resource environment, if the computeresources for a particular component are not being used, they can bere-allocated to other tasks within the system 102 and/or to othersystems unrelated to the system 102.

As mentioned, in an on-premises environment, data from one instance of asystem 102 is logically and physically separated from the data ofanother instance of a system 102 by virtue of each instance having itsown designated hardware. As such, data from different customers of thesystem 102 is logically and physically separated from each other. In ashared computing resource environment, components of a system 102 can beconfigured to process the data from one customer or tenant or frommultiple customers or tenants. Even in cases where a separate componentof a system 102 is used for each customer, the underlying hardware onwhich the components of the system 102 are instantiated may stillprocess data from different tenants. Accordingly, in a shared computingresource environment, the data from different tenants may not bephysically separated on distinct hardware devices. For example, datafrom one tenant may reside on the same hard drive as data from anothertenant or be processed by the same processor. In such cases, the system102 can maintain logical separation between tenant data. For example,the system 102 can include separate directories for different tenantsand apply different permissions and access controls to access thedifferent directories or to process the data, etc.

In certain cases, the tenant data from different tenants is mutuallyexclusive and/or independent from each other. For example, in certaincases, Tenant A and Tenant B do not share the same data, similar to theway in which data from a local hard drive of Customer A is mutuallyexclusive and independent of the data (and not considered part) of alocal hard drive of Customer B. While Tenant A and Tenant B may havematching or identical data, each tenant would have a separate copy ofthe data. For example, with reference again to the local hard drive ofCustomer A and Customer B example, each hard drive could include thesame file. However, each instance of the file would be considered partof the separate hard drive and would be independent of the other file.Thus, one copy of the file would be part of Customer's A hard drive anda separate copy of the file would be part of Customer B's hard drive. Ina similar manner, to the extent Tenant A has a file that is identical toa file of Tenant B, each tenant would have a distinct and independentcopy of the file stored in different locations on a data store or ondifferent data stores.

Further, in certain cases, the system 102 can maintain the mutualexclusivity and/or independence between tenant data even as the tenantdata is being processed, stored, and searched by the same underlyinghardware. In certain cases, to maintain the mutual exclusivity and/orindependence between the data of different tenants, the system 102 canuse tenant identifiers to uniquely identify data associated withdifferent tenants.

In a shared computing resource environment, some components of thesystem 102 can be instantiated and designated for individual tenants andother components can be shared by multiple tenants. In certainembodiments, a separate intake system 110, indexing system 112, andquery system 114 can be instantiated for each tenant, whereas the sharedstorage system 116 or other components (e.g., data store, metadatacatalog, and/or acceleration data store, described below) can be sharedby multiple tenants. In some such embodiments where components areshared by multiple tenants, the components can maintain separatedirectories for the different tenants to ensure their mutual exclusivityand/or independence from each other. Similarly, in some suchembodiments, the system 102 can use different hosting computing systemsor different isolated execution environments to process the data fromthe different tenants as part of the intake system 110, indexing system112, and/or query system 114.

In some embodiments, individual components of the intake system 110,indexing system 112, and/or query system 114 may be instantiated foreach tenant or shared by multiple tenants. For example, some individualintake system components (e.g., forwarders, output ingestion buffer) maybe instantiated and designated for individual tenants, while otherintake system components (e.g., a data retrieval subsystem, intakeingestion buffer, and/or streaming data processor), may be shared bymultiple tenants.

In certain embodiments, an indexing system 112 (or certain componentsthereof) can be instantiated and designated for a particular tenant orshared by multiple tenants. In some embodiments where a separateindexing system 112 is instantiated and designated for each tenant,different resources can be reserved for different tenants. For example,Tenant A can be consistently allocated a minimum of four indexing nodesand Tenant B can be consistently allocated a minimum of two indexingnodes. In some such embodiments, the four indexing nodes can be reservedfor Tenant A and the two indexing nodes can be reserved for Tenant B,even if Tenant A and Tenant B are not using the reserved indexing nodes.

In embodiments where an indexing system 112 is shared by multipletenants, components of the indexing system 112 can be dynamicallyassigned to different tenants. For example, if Tenant A has greaterindexing demands, additional indexing nodes can be instantiated orassigned to Tenant A's data. However, as the demand decreases, theindexing nodes can be reassigned to a different tenant, or terminated.Further, in some embodiments, a component of the indexing system 112 canconcurrently process data from the different tenants.

In some embodiments, one instance of query system 114 may be shared bymultiple tenants. In some such cases, the same search head can be usedto process/execute queries for different tenants and/or the same searchnodes can be used to execute query for different tenants. Further, insome such cases, different tenants can be allocated different amounts ofcompute resources. For example, Tenant A may be assigned more searchheads or search nodes based on demand or based on a service levelarrangement than another tenant. However, once a search is completed thesearch head and/or nodes assigned to Tenant A may be assigned to TenantB, deactivated, or their resource may be re-allocated to othercomponents of the system 102, etc.

In some cases, by sharing more components with different tenants, thefunctioning of the system 102 can be improved. For example, by sharingcomponents across tenants, the system 102 can improve resourceutilization thereby reducing the amount of resources allocated as awhole. For example, if four indexing nodes, two search heads, and foursearch nodes are reserved for each tenant then those compute resourcesare unavailable for use by other processes or tenants, even if they gounused. In contrast, by sharing the indexing nodes, search heads, andsearch nodes with different tenants and instantiating additional computeresources, the system 102 can use fewer resources overall whileproviding improved processing time for the tenants that are using thecompute resources. For example, if tenant A is not using any searchnodes 506 and tenant B has many searches running, the system 102 can usesearch nodes that would have been reserved for tenant A to servicetenant B. In this way, the system 102 can decrease the number of computeresources used/reserved, while improving the search time for tenant Band improving compute resource utilization.

2.0. Data Ingestion, Indexing, and Storage

FIG. 2 is a flow diagram illustrating an embodiment of a routineimplemented by the system 102 to process, index, and store data receivedfrom host devices 104. The data flow illustrated in FIG. 2 is providedfor illustrative purposes only. It will be understood that one or moreof the steps of the processes illustrated in FIG. 2 may be removed orthat the ordering of the steps may be changed. Furthermore, for thepurposes of illustrating a clear example, one or more particular systemcomponents are described in the context of performing various operationsduring each of the data flow stages. For example, the intake system 110is described as receiving machine data and the indexing system 112 isdescribed as generating events, grouping events, and storing events.However, other system arrangements and distributions of the processingsteps across system components may be used. For example, in some cases,the intake system 110 may generate events.

At block 202, the intake system 110 receives data from a host device104. The intake system 110 initially may receive the data as a raw datastream generated by the host device 104. For example, the intake system110 may receive a data stream from a log file generated by anapplication server, from a stream of network data from a network device,or from any other source of data. Non-limiting examples of machine datathat can be received by the intake system 110 is described herein withreference to FIG. 3A.

In some embodiments, the intake system 110 receives the raw data and maysegment the data stream into messages, possibly of a uniform data size,to facilitate subsequent processing steps. The intake system 110 maythereafter process the messages in accordance with one or more rules toconduct preliminary processing of the data. In one embodiment, theprocessing conducted by the intake system 110 may be used to indicateone or more metadata fields applicable to each message. For example, theintake system 110 may include metadata fields within the messages, orpublish the messages to topics indicative of a metadata field. Thesemetadata fields may, for example, provide information related to amessage as a whole and may apply to each event that is subsequentlyderived from the data in the message. For example, the metadata fieldsmay include separate fields specifying each of a host, a source, and asourcetype related to the message. A host field may contain a valueidentifying a host name or IP address of a device that generated thedata. A source field may contain a value identifying a source of thedata, such as a pathname of a file or a protocol and port related toreceived network data. A sourcetype field may contain a value specifyinga particular sourcetype label for the data. Additional metadata fieldsmay also be included, such as a character encoding of the data, ifknown, and possibly other values that provide information relevant tolater processing steps. In certain embodiments, the intake system 110may perform additional operations, such as, but not limited to,identifying individual events within the data, determining timestampsfor the data, further enriching the data, etc.

At block 204, the indexing system 112 generates events from the data. Insome cases, as part of generating the events, the indexing system 112can parse the data of the message. In some embodiments, the indexingsystem 112 can determine a sourcetype associated with each message(e.g., by extracting a sourcetype label from the metadata fieldsassociated with the message, etc.) and refer to a sourcetypeconfiguration corresponding to the identified sourcetype to parse thedata of the message. The sourcetype definition may include one or moreproperties that indicate to the indexing system 112 to automaticallydetermine the boundaries within the received data that indicate theportions of machine data for events. In general, these properties mayinclude regular expression-based rules or delimiter rules where, forexample, event boundaries may be indicated by predefined characters orcharacter strings. These predefined characters may include punctuationmarks or other special characters including, for example, carriagereturns, tabs, spaces, line breaks, etc. If a sourcetype for the data isunknown to the indexing system 112, the indexing system 112 may infer asourcetype for the data by examining the structure of the data. Then,the indexing system 112 can apply an inferred sourcetype definition tothe data to create the events.

In addition, as part of generating events from the data, the indexingsystem 112 can determine a timestamp for each event. Similar to theprocess for parsing machine data, the indexing system 112 may againrefer to a sourcetype definition associated with the data to locate oneor more properties that indicate instructions for determining atimestamp for each event. The properties may, for example, instruct theindexing system 112 to extract a time value from a portion of data forthe event (e.g., using a regex rule), to interpolate time values basedon timestamps associated with temporally proximate events, to create atimestamp based on a time the portion of machine data was received orgenerated, to use the timestamp of a previous event, or use any otherrules for determining timestamps, etc.

The indexing system 112 can also associate events with one or moremetadata fields. In some embodiments, a timestamp may be included in themetadata fields. These metadata fields may include any number of“default fields” that are associated with all events, and may alsoinclude one more custom fields as defined by a user. In certainembodiments, the default metadata fields associated with each event mayinclude a host, source, and sourcetype field including or in addition toa field storing the timestamp.

In certain embodiments, the indexing system 112 can also apply one ormore transformations to event data that is to be included in an event.For example, such transformations can include removing a portion of theevent data (e.g., a portion used to define event boundaries, extraneouscharacters from the event, other extraneous text, etc.), masking aportion of event data (e.g., masking a credit card number), removingredundant portions of event data, etc. The transformations applied toevent data may, for example, be specified in one or more configurationfiles and referenced by one or more sourcetype definitions.

At block 206, the indexing system 112 can group events. In someembodiments, the indexing system 112 can group events based on time. Forexample, events generated within a particular time period or events thathave a time stamp within a particular time period can be groupedtogether to form a bucket. A non-limiting example of a bucket isdescribed herein with reference to FIG. 3B.

In certain embodiments, multiple components of the indexing system, suchas an indexing node, can concurrently generate events and buckets.Furthermore, each indexing node that generates and groups events canconcurrently generate multiple buckets. For example, multiple processorsof an indexing node can concurrently process data, generate events, andgenerate buckets. Further, multiple indexing nodes can concurrentlygenerate events and buckets. As such, ingested data can be processed ina highly distributed manner.

In some embodiments, as part of grouping events together, the indexingsystem 112 can generate one or more inverted indexes for a particulargroup of events. A non-limiting example of an inverted index isdescribed herein with reference to FIG. 3C. In certain embodiments, theinverted indexes can include location information for events of abucket. For example, the events of a bucket may be compressed into oneor more files to reduce their size. The inverted index can includelocation information indicating the particular file and/or locationwithin a particular file of a particular event.

In certain embodiments, the inverted indexes may include keyword entriesor entries for field values or field name-value pairs found in events.In some cases, a field name-value pair can include a pair of wordsconnected by a symbol, such as an equals sign or colon. The entries canalso include location information for events that include the keyword,field value, or field value pair. In this way, relevant events can bequickly located. In some embodiments, fields can automatically begenerated for some or all of the field names of the field name-valuepairs at the time of indexing. For example, if the string“dest=10.0.1.2” is found in an event, a field named “dest” may becreated for the event, and assigned a value of “10.0.1.2.” In certainembodiments, the indexing system can populate entries in the invertedindex with field name-value pairs by parsing events using one or moreregex rules to determine a field value associated with a field definedby the regex rule. For example, the regex rule may indicate how to finda field value for a userID field in certain events. In some cases, theindexing system 112 can use the sourcetype of the event to determinewhich regex to use for identifying field values.

At block 208, the indexing system 112 stores the events with anassociated timestamp in the storage system 116, which may be in a localdata store and/or in a shared storage system. Timestamps enable a userto search for events based on a time range. In some embodiments, thestored events are organized into “buckets,” where each bucket storesevents associated with a specific time range based on the timestampsassociated with each event. As mentioned, FIGS. 3B and 3C illustrate anexample of a bucket. This improves time-based searching, as well asallows for events with recent timestamps, which may have a higherlikelihood of being accessed, to be stored in a faster memory tofacilitate faster retrieval. For example, buckets containing the mostrecent events can be stored in flash memory rather than on a hard disk.In some embodiments, each bucket may be associated with an identifier, atime range, and a size constraint.

The indexing system 112 may be responsible for storing the events in thestorage system 116. As mentioned, the events or buckets can be storedlocally on a component of the indexing system 112 or in a shared storagesystem 116. In certain embodiments, the component that generates theevents and/or stores the events (indexing node) can also be assigned tosearch the events. In some embodiments separate components can be usedfor generating and storing events (indexing node) and for searching theevents (search node).

By storing events in a distributed manner (either by storing the eventsat different components or in a shared storage system 116), the querysystem 114 can analyze events for a query in parallel. For example,using map-reduce techniques, multiple components of the query system(e.g., indexing or search nodes) can concurrently search and providepartial responses for a subset of events to another component (e.g.,search head) that combines the results to produce an answer for thequery. By storing events in buckets for specific time ranges, theindexing system 112 may further optimize the data retrieval process bythe query system 114 to search buckets corresponding to time ranges thatare relevant to a query. In some embodiments, each bucket may beassociated with an identifier, a time range, and a size constraint. Incertain embodiments, a bucket can correspond to a file system directoryand the machine data, or events, of a bucket can be stored in one ormore files of the file system directory. The file system directory caninclude additional files, such as one or more inverted indexes, highperformance indexes, permissions files, configuration files, etc.

In embodiments where components of the indexing system 112 store bucketslocally, the components can include a home directory and a colddirectory. The home directory can store hot buckets and warm buckets,and the cold directory stores cold buckets. A hot bucket can refer to abucket that is capable of receiving and storing additional events. Awarm bucket can refer to a bucket that can no longer receive events forstorage, but has not yet been moved to the cold directory. A cold bucketcan refer to a bucket that can no longer receive events and may be abucket that was previously stored in the home directory. The homedirectory may be stored in faster memory, such as flash memory, asevents may be actively written to the home directory, and the homedirectory may typically store events that are more frequently searchedand thus are accessed more frequently. The cold directory may be storedin slower and/or larger memory, such as a hard disk, as events are nolonger being written to the cold directory, and the cold directory maytypically store events that are not as frequently searched and thus areaccessed less frequently. In some embodiments, components of theindexing system 112 may also have a quarantine bucket that containsevents having potentially inaccurate information, such as an incorrecttimestamp associated with the event or a timestamp that appears to be anunreasonable timestamp for the corresponding event. The quarantinebucket may have events from any time range; as such, the quarantinebucket may always be searched at search time. Additionally, componentsof the indexing system may store old, archived data in a frozen bucketthat is not capable of being searched at search time. In someembodiments, a frozen bucket may be stored in slower and/or largermemory, such as a hard disk, and may be stored in offline and/or remotestorage.

In some embodiments, components of the indexing system 112 may notinclude a cold directory and/or cold or frozen buckets. For example, inembodiments where buckets are copied to a shared storage system 116 andsearched by separate components of the query system 114, buckets can bedeleted from components of the indexing system as they are stored to thestorage system 116. In certain embodiments, the shared storage system116 may include a home directory that includes warm buckets copied fromthe indexing system 112 and a cold directory of cold or frozen bucketsas described above.

FIG. 3A is a block diagram illustrating an embodiment of machine datareceived by the system 102. The machine data can correspond to data fromone or more host devices 104 or data sources. As mentioned, the datasource can correspond to a log file, data stream or other data structurethat is accessible by a host device 104. In the illustrated embodimentof FIG. 3A, the machine data has different forms. For example, themachine data 302 may be log data that is unstructured or that does nothave any clear structure or fields, and include different portions302A-302E that correspond to different entries of the log and thatseparated by boundaries. Such data may also be referred to as rawmachine data.

The machine data 304 may be referred to as structured or semi-structuredmachine data as it does include some data in a JSON structure definingcertain field and field values (e.g., machine data 304A showing fieldname:field values container name:kube-apiserver, host:ip 172 20 43173.ec2.internal, pod_id:0a73017b-4efa-11e8-a4e1-0a2bf2ab4bba, etc.),but other parts of the machine data 304 is unstructured or raw machinedata (e.g., machine data 304B). The machine data 306 may be referred toas structured data as it includes particular rows and columns of datawith field names and field values.

In some embodiments, the machine data 302 can correspond to log datagenerated by a host device 104 configured as an Apache server, themachine data 304 can correspond to log data generated by a host device104 in a shared computing resource environment, and the machine data 306can correspond to metrics data. Given the differences between hostdevices 104 that generated the log data 302, 304, the form of the logdata 302, 304 is different. In addition, as the log data 304 is from ahost device 104 in a shared computing resource environment, it caninclude log data generated by an application being executed within anisolated execution environment (304B, excluding the field name “log:”)and log data generated by an application that enables the sharing ofcomputing resources between isolated execution environments (all otherdata in 304). Although shown together in FIG. 3A, it will be understoodthat machine data with different hosts, sources, or sourcetypes can bereceived separately and/or found in different data sources and/or hostdevices 104.

As described herein, the system 102 can process the machine data basedon the form in which it is received. In some cases, the intake system110 can utilize one or more rules to process the data. In certainembodiments, the intake system 110 can enrich the received data. Forexample, the intake system may add one or more fields to the datareceived from the host devices 104, such as fields denoting the host,source, sourcetype, index, or tenant associated with the incoming data.In certain embodiments, the intake system 110 can perform additionalprocessing on the incoming data, such as transforming structured datainto unstructured data (or vice versa), identifying timestampsassociated with the data, removing extraneous data, parsing data,indexing data, separating data, categorizing data, routing data based oncriteria relating to the data being routed, and/or performing other datatransformations, etc.

In some cases, the data processed by the intake system 110 can becommunicated or made available to the indexing system 112, the querysystem 114, and/or to other systems. In some embodiments, the intakesystem 110 communicates or makes available streams of data using one ormore shards. For example, the indexing system 112 may read or receivedata from one shard and another system may receive data from anothershard. As another example, multiple systems may receive data from thesame shard.

As used herein, a partition can refer to a logical division of data. Insome cases, the logical division of data may refer to a portion of adata stream, such as a shard from the intake system 110. In certaincases, the logical division of data can refer to an index or otherportion of data stored in the storage system 116, such as differentdirectories or file structures used to store data or buckets.Accordingly, it will be understood that the logical division of datareferenced by the term partition will be understood based on the contextof its use.

FIGS. 3B and 3C are block diagrams illustrating embodiments of variousdata structures for storing data processed by the system 102. FIG. 3Bincludes an expanded view illustrating an example of machine data storedin a data store 310 of the data storage system 116. It will beunderstood that the depiction of machine data and associated metadata asrows and columns in the table 319 of FIG. 3B is merely illustrative andis not intended to limit the data format in which the machine data andmetadata is stored in various embodiments described herein. In oneparticular embodiment, machine data can be stored in a compressed orencrypted format. In such embodiments, the machine data can be storedwith or be associated with data that describes the compression orencryption scheme with which the machine data is stored. The informationabout the compression or encryption scheme can be used to decompress ordecrypt the machine data, and any metadata with which it is stored, atsearch time.

In the illustrated embodiment of FIG. 3B the data store 310 includes adirectory 312 (individually referred to as 312A, 312B) for each index(or partition) that contains a portion of data stored in the data store310 and a sub-directory 314 (individually referred to as 314A, 314B,314C) for one or more buckets of the index. In the illustratedembodiment of FIG. 3B, each sub-directory 314 corresponds to a bucketand includes an event data file 316 (individually referred to as 316A,316B, 316C) and an inverted index 318 (individually referred to as 318A,318B, 318C). However, it will be understood that each bucket can beassociated with fewer or more files and each sub-directory 314 can storefewer or more files.

In the illustrated embodiment, the data store 310 includes a _maindirectory 312A associated with an index “_main” and a _test directory312B associated with an index “_test.” However, the data store 310 caninclude fewer or more directories. In some embodiments, multiple indexescan share a single directory or all indexes can share a commondirectory. Additionally, although illustrated as a single data store310, it will be understood that the data store 310 can be implemented asmultiple data stores storing different portions of the information shownin FIG. 3C. For example, a single index can span multiple directories ormultiple data stores.

Furthermore, although not illustrated in FIG. 3B, it will be understoodthat, in some embodiments, the data store 310 can include directoriesfor each tenant and sub-directories for each index of each tenant, orvice versa. Accordingly, the directories 312A and 312B can, in certainembodiments, correspond to sub-directories of a tenant or includesub-directories for different tenants.

In the illustrated embodiment of FIG. 3B, two sub-directories 314A, 314Bof the _main directory 312A and one sub-directory 312C of the _testdirectory 312B are shown. The sub-directories 314A, 314B, 314C cancorrespond to buckets of the indexes associated with the directories312A, 312B. For example, the sub-directories 314A and 314B cancorrespond to buckets “B1” and “B2,” respectively, of the index “_main”and the sub-directory 314C can correspond to bucket “B1” of the index“_test.” Accordingly, even though there are two “B1” buckets shown, aseach “B1” bucket is associated with a different index (and correspondingdirectory 312), the system 102 can uniquely identify them.

Although illustrated as buckets “B1” and “B2,” it will be understoodthat the buckets (and/or corresponding sub-directories 314) can be namedin a variety of ways. In certain embodiments, the bucket (orsub-directory) names can include information about the bucket. Forexample, the bucket name can include the name of the index with whichthe bucket is associated, a time range of the bucket, etc.

As described herein, each bucket can have one or more files associatedwith it, including, but not limited to one or more raw machine datafiles, bucket summary files, filter files, inverted indexes (alsoreferred to herein as high performance indexes or keyword indexes),permissions files, configuration files, etc. In the illustratedembodiment of FIG. 3B, the files associated with a particular bucket canbe stored in the sub-directory corresponding to the particular bucket.Accordingly, the files stored in the sub-directory 314A can correspondto or be associated with bucket “B1,” of index “_main,” the files storedin the sub-directory 314B can correspond to or be associated with bucket“B2” of index “_main,” and the files stored in the sub-directory 314Ccan correspond to or be associated with bucket “B1” of index “_test.”

FIG. 3B further illustrates an expanded event data file 316C showing anexample of data that can be stored therein. In the illustratedembodiment, four events 320, 322, 324, 326 of the machine data file 316Care shown in four rows. Each event 320-326 includes machine data 330 anda timestamp 332. The machine data 330 can correspond to the machine datareceived by the system 102. For example, in the illustrated embodiment,the machine data 330 of events 320, 322, 324, 326 corresponds toportions 302A, 302B, 302C, 302D, respectively, of the machine data 302after it was processed by the indexing system 112.

Metadata 334-338 associated with the events 320-326 is also shown in thetable 319. In the illustrated embodiment, the metadata 334-338 includesinformation about a host 334, source 336, and sourcetype 338 associatedwith the events 320-326. Any of the metadata can be extracted from thecorresponding machine data, or supplied or defined by an entity, such asa user or computer system. The metadata fields 334-338 can become partof, stored with, or otherwise associated with the events 320-326. Incertain embodiments, the metadata 334-338 can be stored in a separatefile of the sub-directory 314C and associated with the machine data file316C. In some cases, while the timestamp 332 can be extracted from theraw data of each event, the values for the other metadata fields may bedetermined by the indexing system 112 based on information it receivespertaining to the host device 104 or data source of the data separatefrom the machine data.

While certain default or user-defined metadata fields can be extractedfrom the machine data for indexing purposes, the machine data within anevent can be maintained in its original condition. As such, inembodiments in which the portion of machine data included in an event isunprocessed or otherwise unaltered, it is referred to herein as aportion of raw machine data. For example, in the illustrated embodiment,the machine data of events 320-326 is identical to the portions of themachine data 302A-302D, respectively, used to generate a particularevent. Similarly, the entirety of the machine data 302 may be foundacross multiple events. As such, unless certain information needs to beremoved for some reasons (e.g. extraneous information, confidentialinformation), all the raw machine data contained in an event can bepreserved and saved in its original form. Accordingly, the data store inwhich the event records are stored is sometimes referred to as a “rawrecord data store.” The raw record data store contains a record of theraw event data tagged with the various fields.

In other embodiments, the portion of machine data in an event can beprocessed or otherwise altered relative to the machine data used tocreate the event. With reference to the machine data 304, the machinedata of a corresponding event (or events) may be modified such that onlya portion of the machine data 304 is stored as one or more events. Forexample, in some cases, only machine data 304B of the machine data 304may be retained as one or more events or the machine data 304 may bealtered to remove duplicate data, confidential information, etc.

In FIG. 3B, the first three rows of the table 319 present events 320,322, and 324 and are related to a server access log that recordsrequests from multiple clients processed by a server, as indicated byentry of “access.log” in the source column 336. In the example shown inFIG. 3B, each of the events 320-324 is associated with a discreterequest made to the server by a client. The raw machine data generatedby the server and extracted from a server access log can include the IPaddress 1140 of the client, the user id 1141 of the person requestingthe document, the time 1142 the server finished processing the request,the request line 1143 from the client, the status code 1144 returned bythe server to the client, the size of the object 1145 returned to theclient (in this case, the gif file requested by the client) and the timespent 1146 to serve the request in microseconds. In the illustratedembodiments of FIGS. 3A, 3B, all the raw machine data retrieved from theserver access log is retained and stored as part of the correspondingevents 320-324 in the file 316C.

Event 326 is associated with an entry in a server error log, asindicated by “error.log” in the source column 336 that records errorsthat the server encountered when processing a client request. Similar tothe events related to the server access log, all the raw machine data inthe error log file pertaining to event 326 can be preserved and storedas part of the event 326.

Saving minimally processed or unprocessed machine data in a data storeassociated with metadata fields in the manner similar to that shown inFIG. 3B is advantageous because it allows search of all the machine dataat search time instead of searching only previously specified andidentified fields or field-value pairs. As mentioned above, because datastructures used by various embodiments of the present disclosuremaintain the underlying raw machine data and use a late-binding schemafor searching the raw machines data, it enables a user to continueinvestigating and learn valuable insights about the raw data. In otherwords, the user is not compelled to know about all the fields ofinformation that will be needed at data ingestion time. As a user learnsmore about the data in the events, the user can continue to refine thelate-binding schema by defining new extraction rules, or modifying ordeleting existing extraction rules used by the system.

FIG. 3C illustrates an embodiment of another file that can be includedin one or more subdirectories 314 or buckets. Specifically, FIG. 3Cillustrates an exploded view of an embodiments of an inverted index 318Bin the sub-directory 314B, associated with bucket “B2” of the index“_main,” as well as an event reference array 340 associated with theinverted index 318B.

In some embodiments, the inverted indexes 318 can correspond to distincttime-series buckets. As such, each inverted index 318 can correspond toa particular range of time for an index. In the illustrated embodimentof FIG. 3C, the inverted indexes 318A, 318B correspond to the buckets“B1” and “B2,” respectively, of the index “_main,” and the invertedindex 318C corresponds to the bucket “B1” of the index “_test.” In someembodiments, an inverted index 318 can correspond to multipletime-series buckets (e.g., include information related to multiplebuckets) or inverted indexes 318 can correspond to a single time-seriesbucket.

Each inverted index 318 can include one or more entries, such as keyword(or token) entries 342 or field-value pair entries 344. Furthermore, incertain embodiments, the inverted indexes 318 can include additionalinformation, such as a time range 346 associated with the inverted indexor an index identifier 348 identifying the index associated with theinverted index 318. It will be understood that each inverted index 318can include less or more information than depicted. For example, in somecases, the inverted indexes 318 may omit a time range 346 and/or indexidentifier 348. In some such embodiments, the index associated with theinverted index 318 can be determined based on the location (e.g.,directory 312) of the inverted index 318 and/or the time range of theinverted index 318 can be determined based on the name of thesub-directory 314.

Token entries, such as token entries 342 illustrated in inverted index318B, can include a token 342A (e.g., “error,” “itemID,” etc.) and eventreferences 342B indicative of events that include the token. Forexample, for the token “error,” the corresponding token entry includesthe token “error” and an event reference, or unique identifier, for eachevent stored in the corresponding time-series bucket that includes thetoken “error.” In the illustrated embodiment of FIG. 3C, the error tokenentry includes the identifiers 3, 5, 6, 8, 11, and 12 corresponding toevents located in the bucket “B2” of the index “_main.”

In some cases, some token entries can be default entries, automaticallydetermined entries, or user specified entries. In some embodiments, theindexing system 112 can identify each word or string in an event as adistinct token and generate a token entry for the identified word orstring. In some cases, the indexing system 112 can identify thebeginning and ending of tokens based on punctuation, spaces, etc. Incertain cases, the indexing system 112 can rely on user input or aconfiguration file to identify tokens for token entries 342, etc. Itwill be understood that any combination of token entries can be includedas a default, automatically determined, or included based onuser-specified criteria.

Similarly, field-value pair entries, such as field-value pair entries344 shown in inverted index 318B, can include a field-value pair 344Aand event references 344B indicative of events that include a fieldvalue that corresponds to the field-value pair (or the field-valuepair). For example, for a field-value pair sourcetype::sendmail, afield-value pair entry 344 can include the field-value pair“sourcetype::sendmail” and a unique identifier, or event reference, foreach event stored in the corresponding time-series bucket that includesa sourcetype “sendmail.”

In some cases, the field-value pair entries 344 can be default entries,automatically determined entries, or user specified entries. As anon-limiting example, the field-value pair entries for the fields“host,” “source,” and “sourcetype” can be included in the invertedindexes 318 as a default. As such, all of the inverted indexes 318 caninclude field-value pair entries for the fields “host,” “source,” and“sourcetype.” As yet another non-limiting example, the field-value pairentries for the field “IP_address” can be user specified and may onlyappear in the inverted index 318B or the inverted indexes 318A, 318B ofthe index “_main” based on user-specified criteria. As anothernon-limiting example, as the indexing system 112 indexes the events, itcan automatically identify field-value pairs and create field-value pairentries 344. For example, based on the indexing system's 212 review ofevents, it can identify IP_address as a field in each event and add theIP_address field-value pair entries to the inverted index 318B (e.g.,based on punctuation, like two keywords separated by an ‘=’ or ‘:’etc.). It will be understood that any combination of field-value pairentries can be included as a default, automatically determined, orincluded based on user-specified criteria.

With reference to the event reference array 340, each unique identifier350, or event reference, can correspond to a unique event located in thetime series bucket or machine data file 316B. The same event referencecan be located in multiple entries of an inverted index 318. For exampleif an event has a sourcetype “splunkd,” host “www1” and token “warning,”then the unique identifier for the event can appear in the field-valuepair entries 344 “sourcetype::splunkd” and “host::www1,” as well as thetoken entry “warning.” With reference to the illustrated embodiment ofFIG. 3C and the event that corresponds to the event reference 3, theevent reference 3 is found in the field-value pair entries 344“host::hostA,” “source::sourceB,” “sourcetype::sourcetypeA,” and“IP_address::91.205.189.15” indicating that the event corresponding tothe event references is from hostA, sourceB, of sourcetypeA, andincludes “91.205.189.15” in the event data.

For some fields, the unique identifier is located in only onefield-value pair entry for a particular field. For example, the invertedindex 318 may include four sourcetype field-value pair entries 344corresponding to four different sourcetypes of the events stored in abucket (e.g., sourcetypes: sendmail, splunkd, web_access, andweb_service). Within those four sourcetype field-value pair entries, anidentifier for a particular event may appear in only one of thefield-value pair entries. With continued reference to the exampleillustrated embodiment of FIG. 3C, since the event reference 7 appearsin the field-value pair entry “sourcetype::sourcetypeA,” then it doesnot appear in the other field-value pair entries for the sourcetypefield, including “sourcetype::sourcetypeB,” “sourcetype::sourcetypeC,”and “sourcetype::sourcetypeD.”

The event references 350 can be used to locate the events in thecorresponding bucket or machine data file 316. For example, the invertedindex 318B can include, or be associated with, an event reference array340. The event reference array 340 can include an array entry 350 foreach event reference in the inverted index 318B. Each array entry 350can include location information 352 of the event corresponding to theunique identifier (non-limiting example: seek address of the event,physical address, slice ID, etc.), a timestamp 354 associated with theevent, or additional information regarding the event associated with theevent reference, etc.

For each token entry 342 or field-value pair entry 344, the eventreference 342B, 344B, respectively, or unique identifiers can be listedin chronological order or the value of the event reference can beassigned based on chronological data, such as a timestamp associatedwith the event referenced by the event reference. For example, the eventreference 1 in the illustrated embodiment of FIG. 3C can correspond tothe first-in-time event for the bucket, and the event reference 12 cancorrespond to the last-in-time event for the bucket. However, the eventreferences can be listed in any order, such as reverse chronologicalorder, ascending order, descending order, or some other order (e.g.,based on time received or added to the machine data file), etc. Further,the entries can be sorted. For example, the entries can be sortedalphabetically (collectively or within a particular group), by entryorigin (e.g., default, automatically generated, user-specified, etc.),by entry type (e.g., field-value pair entry, token entry, etc.), orchronologically by when added to the inverted index, etc. In theillustrated embodiment of FIG. 3C, the entries are sorted first by entrytype and then alphabetically.

In some cases, inverted indexes 318 can decrease the search time of aquery. For example, for a statistical query, by using the invertedindex, the system 102 can avoid the computational overhead of parsingindividual events in a machine data file 316. Instead, the system 102can use the inverted index 318 separate from the raw record data storeto generate responses to the received queries.

3.0. Query Processing and Execution

FIG. 4A is a flow diagram illustrating an embodiment of a routineimplemented by the query system 114 for executing a query. At block 402,the query system 114 receives a search query. As described herein, thequery can be in the form of a pipelined command language or other querylanguage and include filter criteria used to identify a set of data andprocessing criteria used to process the set of data.

At block 404, the query system 114 processes the query. As part ofprocessing the query, the query system 114 can determine whether thequery was submitted by an authenticated user and/or review the query todetermine that it is in a proper format for the data intake and querysystem 102, has correct semantics and syntax, etc. In addition, thequery system 114 can determine what, if any, configuration files orother configurations to use as part of the query.

In addition as part of processing the query, the query system 114 candetermine what portion(s) of the query to execute in a distributedmanner (e.g., what to delegate to search nodes) and what portions of thequery to execute in a non-distributed manner (e.g., what to execute onthe search head). For the parts of the query that are to be executed ina distributed manner, the query system 114 can generate specificcommands, for the components that are to execute the query. This mayinclude generating subqueries, partial queries or different phases ofthe query for execution by different components of the query system 114.In some cases, the query system 114 can use map-reduce techniques todetermine how to map the data for the search and then reduce the data.Based on the map-reduce phases, the query system 114 can generate querycommands for different components of the query system 114.

As part of processing the query, the query system 114 can determinewhere to obtain the data. For example, in some cases, the data mayreside on one or more indexing nodes or search nodes, as part of thestorage system 116 or may reside in a shared storage system or a systemexternal to the system 102. In some cases, the query system 114 candetermine what components to use to obtain and process the data. Forexample, the query system 114 can identify search nodes that areavailable for the query, etc.

At block 406, the query system 1206 distributes the determined portionsor phases of the query to the appropriate components (e.g., searchnodes). In some cases, the query system 1206 can use a catalog todetermine which components to use to execute the query (e.g., whichcomponents include relevant data and/or are available, etc.).

At block 408, the components assigned to execute the query, execute thequery. As mentioned, different components may execute different portionsof the query. In some cases, multiple components (e.g., multiple searchnodes) may execute respective portions of the query concurrently andcommunicate results of their portion of the query to another component(e.g., search head). As part of the identifying the set of data orapplying the filter criteria, the components of the query system 114 cansearch for events that match the criteria specified in the query. Thesecriteria can include matching keywords or specific values for certainfields. The searching operations at block 408 may use the late-bindingschema to extract values for specified fields from events at the timethe query is processed. In some embodiments, one or more rules forextracting field values may be specified as part of a sourcetypedefinition in a configuration file or in the query itself. In certainembodiments where search nodes are used to obtain the set of data, thesearch nodes can send the relevant events back to the search head, oruse the events to determine a partial result, and send the partialresult back to the search head.

At block 410, the query system 114 combines the partial results and/orevents to produce a final result for the query. As mentioned, in somecases, combining the partial results and/or finalizing the results caninclude further processing the data according to the query. Suchprocessing may entail joining different set of data, transforming thedata, and/or performing one or more mathematical operations on the data,preparing the results for display, etc.

In some examples, the results of the query are indicative of performanceor security of the IT environment and may help improve the performanceof components in the IT environment. This final result may comprisedifferent types of data depending on what the query requested. Forexample, the results can include a listing of matching events returnedby the query, or some type of visualization of the data from thereturned events. In another example, the final result can include one ormore calculated values derived from the matching events.

The results generated by the query system 114 can be returned to aclient using different techniques. For example, one technique streamsresults or relevant events back to a client in real-time as they areidentified. Another technique waits to report the results to the clientuntil a complete set of results (which may include a set of relevantevents or a result based on relevant events) is ready to return to theclient. Yet another technique streams interim results or relevant eventsback to the client in real-time until a complete set of results isready, and then returns the complete set of results to the client. Inanother technique, certain results are stored as “search jobs” and theclient may retrieve the results by referring to the search jobs.

The query system 114 can also perform various operations to make thesearch more efficient. For example, before the query system 114 beginsexecution of a query, it can determine a time range for the query and aset of common keywords that all matching events include. The querysystem 114 may then use these parameters to obtain a superset of theeventual results. Then, during a filtering stage, the query system 114can perform field-extraction operations on the superset to produce areduced set of search results. This speeds up queries, which may beparticularly helpful for queries that are performed on a periodic basis.In some cases, to make the search more efficient, the query system 114can use information known about certain data sets that are part of thequery to filter other data sets. For example, if an early part of thequery includes instructions to obtain data with a particular field, butlater commands of the query do not rely on the data with that particularfield, the query system 114 can omit the superfluous part of the queryfrom execution.

Various embodiments of the present disclosure can be implemented using,or in conjunction with, a pipelined command language. A pipelinedcommand language is a language in which a set of inputs or data isoperated on by a first command in a sequence of commands, and thensubsequent commands in the order they are arranged in the sequence. Suchcommands can include any type of functionality for operating on data,such as retrieving, searching, filtering, aggregating, processing,transmitting, and the like. As described herein, a query can thus beformulated in a pipelined command language and include any number ofordered or unordered commands for operating on data.

Splunk Processing Language (SPL) is an example of a pipelined commandlanguage in which a set of inputs or data is operated on by any numberof commands in a particular sequence. A sequence of commands, or commandsequence, can be formulated such that the order in which the commandsare arranged defines the order in which the commands are applied to aset of data or the results of an earlier executed command. For example,a first command in a command sequence can include filter criteria usedto search or filter for specific data. The results of the first commandcan then be passed to another command listed later in the commandsequence for further processing.

In various embodiments, a query can be formulated as a command sequencedefined in a command line of a search UI. In some embodiments, a querycan be formulated as a sequence of SPL commands. Some or all of the SPLcommands in the sequence of SPL commands can be separated from oneanother by a pipe symbol “|.” In such embodiments, a set of data, suchas a set of events, can be operated on by a first SPL command in thesequence, and then a subsequent SPL command following a pipe symbol “|”after the first SPL command operates on the results produced by thefirst SPL command or other set of data, and so on for any additional SPLcommands in the sequence. As such, a query formulated using SPLcomprises a series of consecutive commands that are delimited by pipe“|” characters. The pipe character indicates to the system that theoutput or result of one command (to the left of the pipe) should be usedas the input for one of the subsequent commands (to the right of thepipe). This enables formulation of queries defined by a pipeline ofsequenced commands that refines or enhances the data at each step alongthe pipeline until the desired results are attained. Accordingly,various embodiments described herein can be implemented with SplunkProcessing Language (SPL) used in conjunction with the SPLUNK®ENTERPRISE system.

While a query can be formulated in many ways, a query can start with asearch command and one or more corresponding search terms or filtercriteria at the beginning of the pipeline. Such search terms or filtercriteria can include any combination of keywords, phrases, times, dates,Boolean expressions, fieldname-field value pairs, etc. that specifywhich results should be obtained from different locations. The resultscan then be passed as inputs into subsequent commands in a sequence ofcommands by using, for example, a pipe character. The subsequentcommands in a sequence can include directives for additional processingof the results once it has been obtained from one or more indexes. Forexample, commands may be used to filter unwanted information out of theresults, extract more information, evaluate field values, calculatestatistics, reorder the results, create an alert, create summary of theresults, or perform some type of aggregation function. In someembodiments, the summary can include a graph, chart, metric, or othervisualization of the data. An aggregation function can include analysisor calculations to return an aggregate value, such as an average value,a sum, a maximum value, a root mean square, statistical values, and thelike.

Due to its flexible nature, use of a pipelined command language invarious embodiments is advantageous because it can perform “filtering”as well as “processing” functions. In other words, a single query caninclude a search command and search term expressions, as well asdata-analysis expressions. For example, a command at the beginning of aquery can perform a “filtering” step by retrieving a set of data basedon a condition (e.g., records associated with server response times ofless than 1 microsecond). The results of the filtering step can then bepassed to a subsequent command in the pipeline that performs a“processing” step (e.g. calculation of an aggregate value related to thefiltered events such as the average response time of servers withresponse times of less than 1 microsecond). Furthermore, the searchcommand can allow events to be filtered by keyword as well as fieldcriteria. For example, a search command can filter events based on theword “warning” or filter events based on a field value “10.0.1.2”associated with a field “clientip.”

The results obtained or generated in response to a command in a querycan be considered a set of results data. The set of results data can bepassed from one command to another in any data format. In oneembodiment, the set of result data can be in the form of a dynamicallycreated table. Each command in a particular query can redefine the shapeof the table. In some implementations, an event retrieved from an indexin response to a query can be considered a row with a column for eachfield value. Columns can contain basic information about the data and/ordata that has been dynamically extracted at search time.

FIG. 4B provides a visual representation of the manner in which apipelined command language or query can operate in accordance with thedisclosed embodiments. The query 430 can be input by the user andsubmitted to the query system 114. In the illustrated embodiment, thequery 430 comprises filter criteria 430A, followed by two commands 430B,430C (namely, Command1 and Command2). Disk 422 represents data as it isstored in a data store to be searched. For example, disk 422 canrepresent a portion of the storage system 116 or some other data storethat can be searched by the query system 114. Individual rows of canrepresent different events and columns can represent different fieldsfor the different events. In some cases, these fields can include rawmachine data, host, source, and sourcetype.

At block 440, the query system 114 uses the filter criteria 430A (e.g.,“sourcetype=syslog ERROR”) to filter events stored on the disk 422 togenerate an intermediate results table 424. Given the semantics of thequery 430 and order of the commands, the query system 114 can executethe filter criteria 430A portion of the query 430 before executingCommand1 or Command2.

Rows in the table 424 may represent individual records, where eachrecord corresponds to an event in the disk 422 that satisfied the filtercriteria. Columns in the table 424 may correspond to different fields ofan event or record, such as “user,” “count,” percentage,” “timestamp,”or the raw machine data of an event, etc. Notably, the fields in theintermediate results table 424 may differ from the fields of the eventson the disk 422. In some cases, this may be due to the late bindingschema described herein that can be used to extract field values atsearch time. Thus, some of the fields in table 424 may not have existedin the events on disk 422.

Illustratively, the intermediate results table 424 has fewer rows thanwhat is shown in the disk 422 because only a subset of events retrievedfrom the disk 422 matched the filter criteria 430A “sourcetype=syslogERROR.” In some embodiments, instead of searching individual events orraw machine data, the set of events in the intermediate results table424 may be generated by a call to a pre-existing inverted index.

At block 442, the query system 114 processes the events of the firstintermediate results table 424 to generate the second intermediateresults table 426. With reference to the query 430, the query system 114processes the events of the first intermediate results table 424 toidentify the top users according to Command1. This processing mayinclude determining a field value for the field “user” for each recordin the intermediate results table 424, counting the number of uniqueinstances of each “user” field value (e.g., number of users with thename David, John, Julie, etc.) within the intermediate results table424, ordering the results from largest to smallest based on the count,and then keeping only the top 10 results (e.g., keep an identificationof the top 10 most common users). Accordingly, each row of table 426 canrepresent a record that includes a unique field value for the field“user,” and each column can represent a field for that record, such asfields “user,” “count,” and “percentage.”

At block 444, the query system 114 processes the second intermediateresults table 426 to generate the final results table 428. Withreference to query 430, the query system 114 applies the command“fields—present” to the second intermediate results table 426 togenerate the final results table 428. As shown, the command“fields—present” of the query 430 results in one less column, which mayrepresent that a field was removed during processing. For example, thequery system 114 may have determined that the field “percentage” wasunnecessary for displaying the results based on the Command2. In such ascenario, each record of the final results table 428 would include afield “user,” and “count.” Further, the records in the table 428 wouldbe ordered from largest count to smallest count based on the querycommands.

It will be understood that the final results table 428 can be a thirdintermediate results table, which can be pipelined to another stagewhere further filtering or processing of the data can be performed,e.g., preparing the data for display purposes, filtering the data basedon a condition, performing a mathematical calculation with the data,etc. In different embodiments, other query languages, such as theStructured Query Language (“SQL”), can be used to create a query.

As described herein, extraction rules can be used to extract field-valuepairs or field values from data. An extraction rule can comprise one ormore regex rules that specify how to extract values for the fieldcorresponding to the extraction rule. In addition to specifying how toextract field values, the extraction rules may also include instructionsfor deriving a field value by performing a function on a characterstring or value retrieved by the extraction rule. For example, anextraction rule may truncate a character string or convert the characterstring into a different data format. Extraction rules can be used toextract one or more values for a field from events by parsing theportions of machine data in the events and examining the data for one ormore patterns of characters, numbers, delimiters, etc., that indicatewhere the field begins and, optionally, ends. In certain embodiments,extraction rules can be stored in one or more configuration files. Insome cases, a query itself can specify one or more extraction rules.

In some cases, extraction rules can be applied at data ingest by theintake system 110 and/or indexing system 112. For example, the intakesystem 110 and indexing system 112 can apply extraction rules toingested data and/or events generated from the ingested data and storeresults in an inverted index.

The system 102 advantageously allows for search time field extraction.In other words, fields can be extracted from the event data at searchtime using late-binding schema as opposed to at data ingestion time,which was a major limitation of the prior art systems. Accordingly,extraction rules can be applied at search time by the query system 114.The query system can apply extraction rules to events retrieved from thestorage system 116 or data received from sources external to the system102. Extraction rules can be applied to all the events in the storagesystem 116 or to a subset of the events that have been filtered based onsome filter criteria (e.g., event timestamp values, etc.).

FIG. 4C is a block diagram illustrating an embodiment of the table 319showing events 320-326, described previously with reference to FIG. 3B.As described herein, the table 319 is for illustrative purposes, and theevents 320-326 may be stored in a variety of formats in an event datafile 316 or raw record data store. Further, it will be understood thatthe event data file 316 or raw record data store can store millions ofevents. FIG. 4C also illustrates an embodiment of a search bar 450 forentering a query and a configuration file 452 that includes variousextraction rules that can be applied to the events 320-326.

As a non-limiting example, if a user inputs a query into search bar 450that includes only keywords (also known as “tokens”), e.g., the keyword“error” or “warning,” the query system 114 can search for those keywordsdirectly in the events 320-326 stored in the raw record data store.

As described herein, the indexing system 112 can optionally generate anduse an inverted index with keyword entries to facilitate fast keywordsearching for event data. If a user searches for a keyword that is notincluded in the inverted index, the query system 114 may nevertheless beable to retrieve the events by searching the event data for the keywordin the event data file 316 or raw record data store directly. Forexample, if a user searches for the keyword “eva,” and the name “eva”has not been indexed at search time, the query system 114 can search theevents 320-326 directly and return the first event 320. In the casewhere the keyword has been indexed, the inverted index can include areference pointer that will allow for a more efficient retrieval of theevent data from the data store. If the keyword has not been indexed, thequery system 114 can search through the events in the event data file toservice the search.

In many cases, a query include fields. The term “field” refers to alocation in the event data containing one or more values for a specificdata item. Often, a field is a value with a fixed, delimited position ona line, or a name and value pair, where there is a single value to eachfield name. A field can also be multivalued, that is, it can appear morethan once in an event and have a different value for each appearance,e.g., email address fields. Fields are searchable by the field name orfield name-value pairs. Some examples of fields are “clientip” for IPaddresses accessing a web server, or the “From” and “To” fields in emailaddresses.

By way of further example, consider the query, “status=404.” This searchquery finds events with “status” fields that have a value of “404.” Whenthe search is run, the query system 114 does not look for events withany other “status” value. It also does not look for events containingother fields that share “404” as a value. As a result, the searchreturns a set of results that are more focused than if “404” had beenused in the search string as part of a keyword search. Note also thatfields can appear in events as “key=value” pairs such as“user_name=Bob.” But in most cases, field values appear in fixed,delimited positions without identifying keys. For example, the datastore may contain events where the “user_name” value always appears byitself after the timestamp as illustrated by the following string: “Nov15 09:33:22 evaemerson.”

FIG. 4C illustrates the manner in which configuration files may be usedto configure custom fields at search time in accordance with thedisclosed embodiments. In response to receiving a query, the querysystem 114 determines if the query references a “field.” For example, aquery may request a list of events where the “clientip” field equals“127.0.0.1.” If the query itself does not specify an extraction rule andif the field is not an indexed metadata field, e.g., time, host, source,sourcetype, etc., then in order to determine an extraction rule, thequery system 114 may, in one or more embodiments, locate configurationfile 452 during the execution of the query.

Configuration file 452 may contain extraction rules for various fields,e.g., the “clientip” field. The extraction rules may be inserted intothe configuration file 452 in a variety of ways. In some embodiments,the extraction rules can comprise regular expression rules that aremanually entered in by the user.

In one or more embodiments, as noted above, a field extractor may beconfigured to automatically generate extraction rules for certain fieldvalues in the events when the events are being created, indexed, orstored, or possibly at a later time. In one embodiment, a user may beable to dynamically create custom fields by highlighting portions of asample event that should be extracted as fields using a graphical userinterface. The system can then generate a regular expression thatextracts those fields from similar events and store the regularexpression as an extraction rule for the associated field in theconfiguration file 452.

In some embodiments, the indexing system 112 can automatically discovercertain custom fields at index time and the regular expressions forthose fields will be automatically generated at index time and stored aspart of extraction rules in configuration file 452. For example, fieldsthat appear in the event data as “key=value” pairs may be automaticallyextracted as part of an automatic field discovery process. Note thatthere may be several other ways of adding field definitions toconfiguration files in addition to the methods discussed herein.

Events from heterogeneous sources that are stored in the storage system116 may contain the same fields in different locations due todiscrepancies in the format of the data generated by the varioussources. For example, event 326 also contains a “clientip” field,however, the “clientip” field is in a different format from events 320,322, and 324. Furthermore, certain events may not contain a particularfield at all. To address the discrepancies in the format and content ofthe different types of events, the configuration file 452 can specifythe set of events to which an extraction rule applies. For example,extraction rule 454 specifies that it is to be used with events having asourcetype “access_combined,” and extraction rule 456 specifies that itis to be used with events having a sourcetype “apache_error.” Otherextraction rules shown in configuration file 452 specify a set or typeof events to which they apply. In addition, the extraction rules shownin configuration file 452 include a regular expression for parsing theidentified set of events to determine the corresponding field value.Accordingly, each extraction rule may pertain to only a particular typeof event. Accordingly, if a particular field, e.g., “clientip” occurs inmultiple types of events, each of those types of events can have its owncorresponding extraction rule in the configuration file 452 and each ofthe extraction rules would comprise a different regular expression toparse out the associated field value. In some cases, the sets of eventsare grouped by sourcetype because events generated by a particularsource can have the same format.

The field extraction rules stored in configuration file 452 can be usedto perform search-time field extractions. For example, for a query thatrequests a list of events with sourcetype “access_combined” where the“clientip” field equals “127.0.0.1,” the query system 114 can locate theconfiguration file 452 to retrieve extraction rule 454 that allows it toextract values associated with the “clientip” field from the eventswhere the sourcetype is “access_combined” (e.g., events 320-324). Afterthe “clientip” field has been extracted from the events 320, 322, 324,the query system 114 can then apply the field criteria by performing acompare operation to filter out events where the “clientip” field doesnot equal “127.0.0.1.” In the example shown in FIG. 4C, the events 320and 322 would be returned in response to the user query. In this manner,the query system 114 can service queries with filter criteria containingfield criteria and/or keyword criteria.

It should also be noted that any events filtered by performing asearch-time field extraction using a configuration file 452 can befurther processed by directing the results of the filtering step to aprocessing step using a pipelined search language. Using the priorexample, a user can pipeline the results of the compare step to anaggregate function by asking the query system 114 to count the number ofevents where the “clientip” field equals “127.0.0.1.”

By providing the field definitions for the queried fields at searchtime, the configuration file 452 allows the event data file or rawrecord data store to be field searchable. In other words, the raw recorddata store can be searched using keywords as well as fields, wherein thefields are searchable name/value pairings that can distinguish one eventfrom another event and can be defined in configuration file 452 usingextraction rules. In comparison to a search containing field names, akeyword search may result in a search of the event data directly withoutthe use of a configuration file.

Further, the ability to add schema to the configuration file 452 atsearch time results in increased efficiency and flexibility. A user cancreate new fields at search time and simply add field definitions to theconfiguration file 452. As a user learns more about the data in theevents, the user can continue to refine the late-binding schema byadding new fields, deleting fields, or modifying the field extractionrules in the configuration file for use the next time the schema is usedby the system 102. Because the system 102 maintains the underlying rawdata and uses late-binding schema for searching the raw data, it enablesa user to continue investigating and learn valuable insights about theraw data long after data ingestion time. Similarly, multiple fielddefinitions can be added to the configuration file to capture the samefield across events generated by different sources or sourcetypes. Thisallows the system 102 to search and correlate data across heterogeneoussources flexibly and efficiently.

The system 102 can use one or more data models to search and/or betterunderstand data. A data model is a hierarchically structured search-timemapping of semantic knowledge about one or more datasets. It encodes thedomain knowledge used to build a variety of specialized searches ofthose datasets. Those searches, in turn, can be used to generatereports.

The above-described system provides significant flexibility by enablinga user to analyze massive quantities of minimally-processed data “on thefly” at search time using a late-binding schema, instead of storingpre-specified portions of the data in a database at ingestion time. Thisflexibility enables a user to see valuable insights, correlate data, andperform subsequent queries to examine interesting aspects of the datathat may not have been apparent at ingestion time.

Performing extraction and analysis operations at search time can involvea large amount of data and require a large number of computationaloperations, which can cause delays in processing the queries. In someembodiments, the system 102 can employ a number of unique accelerationtechniques to speed up analysis operations performed at search time.These techniques include: performing search operations in parallel usingmultiple components of the query system 114, using an inverted index118, and accelerating the process of generating reports.

To facilitate faster query processing, a query can be structured suchthat multiple components of the query system 114 (e.g., search nodes)perform the query in parallel, while aggregation of search results fromthe multiple components is performed at a particular component (e.g.,search head). For example, consider a scenario in which a user entersthe query “Search “error” stats count BY host.” The query system 114 canidentify two phases for the query, including: (1) subtasks (e.g., dataretrieval or simple filtering) that may be performed in parallel bymultiple components, such as search nodes, and (2) a search resultsaggregation operation to be executed by one component, such as thesearch head, when the results are ultimately collected from the searchnodes.

Based on this determination, the query system 114 can generate commandsto be executed in parallel by the search nodes, with each search nodeapplying the generated commands to a subset of the data to be searched.In this example, the query system 114 generates and then distributes thefollowing commands to the individual search nodes: “Search “error”prestats count BY host.” In this example, the “prestats” command canindicate that individual search nodes are processing a subset of thedata and are responsible for producing partial results and sending themto the search head. After the search nodes return the results to thesearch head, the search head aggregates the received results to form asingle search result set. By executing the query in this manner, thesystem effectively distributes the computational operations across thesearch nodes while reducing data transfers. It will be understood thatthe query system 114 can employ a variety of techniques to usedistributed components to execute a query. In some embodiments, thequery system 114 can use distributed components for only mappingfunctions of a query (e.g., gather data, applying filter criteria,etc.). In certain embodiments, the query system 114 can use distributedcomponents for mapping and reducing functions (e.g., joining data,combining data, reducing data, etc.) of a query.

4.0. Example Use Cases

The system 102 provides various schemas, dashboards, and visualizationsthat simplify developers' tasks to create applications with additionalcapabilities, including but not limited to security, data centermonitoring, IT service monitoring, and client/customer insights.

An embodiment of an enterprise security application is as SPLUNK®ENTERPRISE SECURITY, which performs monitoring and alerting operationsand includes analytics to facilitate identifying both known and unknownsecurity threats based on large volumes of data stored by the system102. The enterprise security application provides the securitypractitioner with visibility into security-relevant threats found in theenterprise infrastructure by capturing, monitoring, and reporting ondata from enterprise security devices, systems, and applications.Through the use of the system 102 searching and reporting capabilities,the enterprise security application provides a top-down and bottom-upview of an organization's security posture.

An embodiment of an IT monitoring application is SPLUNK® IT SERVICEINTELLIGENCE™, which performs monitoring and alerting operations. The ITmonitoring application also includes analytics to help an analystdiagnose the root cause of performance problems based on large volumesof data stored by the system 102 as correlated to the various servicesan IT organization provides (a service-centric view). This differssignificantly from conventional IT monitoring systems that lack theinfrastructure to effectively store and analyze large volumes ofservice-related events. Traditional service monitoring systems typicallyuse fixed schemas to extract data from pre-defined fields at dataingestion time, wherein the extracted data is typically stored in arelational database. This data extraction process and associatedreduction in data content that occurs at data ingestion time inevitablyhampers future investigations, when all of the original data may beneeded to determine the root cause of or contributing factors to aservice issue.

In contrast, an IT monitoring application system stores large volumes ofminimally-processed service-related data at ingestion time for laterretrieval and analysis at search time, to perform regular monitoring, orto investigate a service issue. To facilitate this data retrievalprocess, the IT monitoring application enables a user to define an IToperations infrastructure from the perspective of the services itprovides. In this service-centric approach, a service such as corporatee-mail may be defined in terms of the entities employed to provide theservice, such as host machines and network devices. Each entity isdefined to include information for identifying all of the events thatpertains to the entity, whether produced by the entity itself or byanother machine, and considering the many various ways the entity may beidentified in machine data (such as by a URL, an IP address, or machinename). The service and entity definitions can organize events around aservice so that all of the events pertaining to that service can beeasily identified. This capability provides a foundation for theimplementation of Key Performance Indicators.

As described herein, the system 102 can receive heterogeneous data fromdisparate systems. In some cases, the data from the disparate systemsmay be related and correlating the data can result in insights intoclient or customer interactions with various systems of a vendor. To aidin the correlation of data across different systems, multiple fielddefinitions can be added to one or more configuration files to capturethe same field or data across events generated by different sources orsourcetypes. This can enable the system 102 to search and correlate dataacross heterogeneous sources flexibly and efficiently.

As a non-limiting example and with reference to FIG. 4D, consider ascenario in which a common customer identifier is found among log datareceived from three disparate data sources. In this example, a usersubmits an order for merchandise using a vendor's shopping applicationprogram 460 running on the user's system. In this example, the order wasnot delivered to the vendor's server due to a resource exception at thedestination server that is detected by the middleware code 462. The userthen sends a message to the customer support server 464 to complainabout the order failing to complete. The three systems 460, 462, 464 aredisparate systems that do not have a common logging format. The shoppingapplication program 460 sends log data 466 to the system 102 in oneformat, the middleware code 462 sends error log data 468 in a secondformat, and the support server 464 sends log data 470 in a third format.

Using the log data received at the system 102 from the three systems460, 462, 464, the vendor can uniquely obtain an insight into useractivity, user experience, and system behavior. The system 102 allowsthe vendor's administrator to search the log data from the three systems460, 462, 464, thereby obtaining correlated information, such as theorder number and corresponding customer ID number of the person placingthe order. The system 102 also allows the administrator to see avisualization of related events via a user interface. The administratorcan query the system 102 for customer ID field value matches across thelog data from the three systems 460, 462, 464 that are stored in thestorage system 116. While the customer ID field value exists in the datagathered from the three systems 460, 462, 464, it may be located indifferent areas of the data given differences in the architecture of thesystems. The query system 114 obtains events from the storage system 116related to the three systems 460, 462, 464. The query system 114 thenapplies extraction rules to the events in order to extract field valuesfor the field “customer ID” that it can correlate. As described herein,the query system 114 may apply a different extraction rule to each setof events from each system when the event format differs among systems.In this example, a user interface can display to the administrator theevents corresponding to the common customer ID field values 472, 474,and 476, thereby providing the administrator with insight into acustomer's experience. The system 102 can provide additional userinterfaces and reports to aid a user in analyzing the data associatedwith the customer.

5.0. Interactive Security Visualization of Network Entity Data

A data intake and query system such as described above has many possibleapplications, one of which is to facilitate monitoring and analysis ofnetwork security issues. FIG. 5 illustrates an example of an environment500 in which this can be accomplished. The environment 500 of FIG. 5 issimilar to that of FIG. 1 , except that it also includes a securityapplication 502 operatively coupled to the data intake and query system102. The security application 502 can be a software application thatruns logically “on top of” the data intake and query system 102. Twomajor components of the security application are a risk scoring engine504 and a graphical user interface (GUI) generator 506. In at least someembodiments, clients 106 of the data intake and query system 102 alsoare clients of (and therefore have access to) the security application502.

The risk scoring engine 504 accesses stored events (e.g., in storage116), or a live stream of events ingested through the intake system 110,or a combination thereof, identifies various network entities associatedwith those events, and assigns risk scores to those entities. Hence, therisk scoring engine 504 can operate in an online mode (i.e., by scoringnewly received events as they are received by the data intake and querysystem 102), in an off-line (batch) mode (i.e., by scoring indexed andstored events), or both. The entities identified by the risk scoringengine can include, for example, computer users, devices (e.g., clients,servers, routers, virtual machines), applications, or a combinationthereof. The manner in which entities are identified (i.e., the“identity resolution” process) is not germane to the techniqueintroduced here; any known or convenient technique can be used toaccomplish that.

In general, a network security application may make massive amounts ofdata available to a human user, such as a security analyst, even afterautomated filtering by the security application. Accordingly, there is achallenge of how to present to the user sufficient information to enablethe user to make well informed security related decisions, in an easy tounderstand format, without overwhelming the user with irrelevant orunimportant information. Introduced here, therefore, are techniques forenabling a human user, such as a security analyst, to view and analyzenetwork security data generated or accessed by a security application.These techniques may be implemented in security application 502 in FIG.5 , for example.

As described in greater detail below, the GUI generator 506 provides aGUI (accessible via any of the client computing devices 106, forexample) in which various network-related entities (e.g., users) aregraphically and individually represented by geometric shapes in aninteractive, color-coded display that graphically indicates the degreesof risk the entities represent to the network. The display, called a“treemap” herein, can take the form of multiple adjacent, color-codedpolygons (e.g., rectangles) that are interlocked in a jigsaw puzzle-likemanner, where each polygon represents a different entity. In at leastsome embodiments, the area of each polygon is indicative of the numberof detected anomalies associated with the corresponding entity in aselected time period, and the color of each polygon is indicative of adetermined risk level of the corresponding entity for that time period.In other embodiments, this relationship may be reversed; that is, colormay instead be used to indicate number of anomalies while size is usedto indicate risk level. Alternatively, different visual characteristicsbesides color or size may be used to indicate number of anomalies, risklevel, or other parameters related to the represented entities. In atleast some embodiments, entities other than users (e.g., devices and/orapplications) can be represented in the treemap, and two or moredifferent types of entities may be represented in the same treemap. Auser of the security application can “drill down” on any particularpolygon to see more detailed information about the corresponding entity,such as a graphical plot of the entity's risk score versus time, or alisting of events associated with the entity's risk score.

FIG. 6 shows an example of an overall process for generating aninteractive visualization of security related data. The process 600 maybe performed, at least in part, by the security application 502. Theprocess 600 begins at step 610, with accessing data representing aplurality of events that have occurred on a network. The plurality ofevents relate to a plurality of entities that are part of or interactwith the network, such as users, devices, applications, or a combinationthereof. At step 620, the process identifies security related anomaliesin the data, and at step 630 the process assigns a risk score to each ofthe entities based on the identified anomalies. Each risk scorerepresents a degree of risk that a corresponding entity represents tothe network whose event data is being monitored. The specific manner inwhich anomalies are identified by the system is not germane to thetechnique introduced here; any known or convenient technique foridentifying security related anomalies in event data can be used. Atstep 640, the process generates a visualization data for a color-codedinteractive visualization in which the plurality of entities aregraphically and individually represented according to degrees of riskthat the entities represent to the network. An example of such avisualization is a color-coded treemap, as discussed further below. Atstep 650 the process causes the color-coded interactive visualization tobe displayed on a display device (e.g., of a client device 106) based onthe visualization data. Note that in at least some embodiments, theorder of the above-mentioned steps can be different than that shown inFIG. 6 , and some steps can be performed concurrently. For example, step640 may be performed concurrently with steps 610, 620 and 630, such thatthe visualization is continuously updated in real time in response tonewly detected anomalies and/or newly ingested event data.

The right side of FIG. 6 shows step 640 in greater detail, according toat least some embodiments. As shown, step 640 can include step 640 a, inwhich each entity is assigned to a separate polygon, of a plurality ofpolygons that are to be displayed concurrently on a display screen. Inat least some embodiments, the polygons are rectangles, and aredisplayed in an interlocking, jigsaw puzzle-like manner, as shown byexample in FIG. 7 (discussed further below). In other embodiments,geometric shapes other than rectangles may be used, such as triangles,circles, ellipses, or other shapes, or a combination of differentshapes.

Step 640 a can be followed by step 640 b, in which the size of eachpolygon is selected to be indicative of the number of security relatedanomalies associated with the corresponding entity (e.g., where arectangle of larger area rectangle corresponds to a higher number ofanomalies than a rectangle of smaller area), and by step 640 c in whicha color of each of the plurality of polygons is assigned to beindicative of the risk level assigned to the corresponding entity (e.g.,where a “hot” color such as red indicates the highest risk level while a“cooler” color such as yellow, green or blue indicates low risk level).In other embodiments, this relationship may be reversed, i.e., color maybe used to indicate the number of anomalies while size indicates risklevel. In still other embodiments, color and/or size may be replacedwith some other visual characteristic(s).

In at least some embodiments, there are at least two possible risklevels, where a “risk level” is a specified range of risk scores. Eachentity, and therefore each polygon, is assigned to one risk level at anygiven point in time, although an entity's risk level may change overtime (e.g., as new data is received and analyzed by the system). Forexample, risk scores may be assigned from 0 to 100, where scores 67 to100 correspond to the highest risk level (and the “hottest” color, e.g.,red), scores 34 to 66 correspond to moderate risk level (and a “warm”color such as orange), and scores 0 to 33 correspond to the lowest risklevel (and a “cooler” color, such as yellow). In various embodiments,the thresholds between risk levels may be different, and/or a greater orfewer number of risk levels may be used. Further, the mapping of riskscore to risk level can either be fixed (as described above) or dynamicbased on some algorithm. For example, the algorithm may examine all ofthe risk scores in the enterprise and determine that it is common forthose risk scores to be between 50 and 90 and therefore make this levelto be of a “cooler” color. Additionally, the number of risk levels, thethresholds between risk levels, and/or the mapping of risk scores torisk levels all can be user-modifiable.

Additional details of the visualization technique are discussed now inrelation to FIG. 7 . FIG. 7 shows an example of a GUI screen that may begenerated by the GUI generator. The primary feature of the GUI screen700 is the color-coded treemap 701, the purpose of which is to indicategraphically the most risky entities associated with the network that isbeing monitored. In the illustrated embodiment, the treemap 701 is a setof color-coded, interlocking rectangles (such as rectangle 702, forexample), each of which represents a different entity, where the colorof each rectangle is indicative of the risk level associated withassociated entity, and the size of each rectangle is indicative of thenumber of anomalies detected for that entity. As shown, the number ofanomalies associated with the user is displayed numerically in thecenter of each rectangle. If a rectangle is big enough, the name of theentity that it represents is displayed inside the rectangle. Forexample, rectangle 702 represents an entity (user) named Jane Cooper,whose current risk score is “96.” If a rectangle is too small, theentity name and/or number of anomalies may not be displayed inside it;however, that information will pop up in a small dialog box if the userclicks on the rectangle and/or while the user dwells his or her cursorover that rectangle.

The simultaneous use of both size and color for polygons in this mannerto indicate different risk related parameters gives the security analystkey information that can be easily understood at a glance. For example,a particular entity may have only a small number of associatedanomalies, but may still have a high risk level (e.g., due to the natureor timing of those anomalies); this entity would be represented by asmall rectangle that has a relatively “hot” color (e.g., red).Conversely, another entity may have a large number of anomalies and yethave a low risk level; this entity would be represented by a relativelylarge rectangle with a “cooler” color (e.g., yellow). With a treemaprepresentation such as shown in FIG. 7 , a security analyst can easilydistinguish the risk impact of these two users (along with other users)at a glance.

A layout module (not shown) within the GUI generator can determine theon-screen layout of the polygons in the treemap so that all of therectangles fit together in a jigsaw puzzle-like manner and so thatrectangles of the same color (i.e., same risk level) are groupedtogether, as shown in FIG. 7 . Off-the-shelf software libraries areavailable that have the ability to determine an on-screen layout ofgeometric shapes based on programmer-selected or user-selected inputcriteria, and may be used to generate the actual layout of the polygons.One example of such a library is Recharts, an open source charting toolavailable from the Recharts Group. The inputs that are provided to thelayout module in this scenario may be, for example, the name of eachentity to be represented on screen, the color (representing risk level)assigned to each of those entities (e.g., red for high, orange formedium, and yellow for low), and the number of anomalies associated witheach of the entities. In at least some embodiments, if polygons in morethan one score range are displayed, the system makes best efforts to layout the polygons from top left to bottom right in descending order ofrisk score, with highest starting at the top left and lowest at thebottom right, to allow the analyst's eyes to follow easily from left toright and from top to bottom in order of importance.

Referring still to FIG. 7 , the left side of the screen contains ascrollable sorted entity list 704 of the entities represented in thetreemap 701. By default, the entity list 704 may be sorted in descendingorder by risk score, for example. In at least some embodiments, theuser's clicking on an entity in the entity list 704 will cause thatentry in the entity list and the corresponding rectangle in the treemap701 to be highlighted; similarly, the user's clicking on a rectangle inthe treemap 701 will cause that rectangle and the corresponding entry inthe entity list 704 to be highlighted.

In at least some embodiments, different types (or groups) of entities(e.g., users and devices) can be shown concurrently in separatesubgroups in the treemap, e.g., two or more groups/types of entitiesshown next to each other side-by-side, or in another similararrangement. Entity type is just an example of a subgroup, and othersubgroups can also be used: for example subgroups can be defined basedon different departments in the company, different types of assets(servers vs personal devices), etc. For example, by having twodepartments graphically illustrated side-by-side in the treemap, theanalyst can quickly visualize and compare the risk levels of theirrespective entities (e.g., “Does one department A seem to have morerisky entities than department B?”).

The user can apply various types of filtering or display customizationfunctions to the GUI 700. For example, in certain embodiments, as shownin FIG. 8 , the user (e.g., security analyst) can click downward-facingarrow 801, which causes display of a slider control 802 that enable theuser change the maximum number of entities to be included in the treemap(currently shown as “50”). As shown in FIG. 9 , the user can clickdownward-facing arrow 901, which causes display of a time period control902 that enables the user to adjust the time period represented in thedisplay (today, a seven-day window, or other time period). As shown inFIG. 10 , the user can click downward-facing arrow 1001, which causesdisplay of a risk level selection control 1002 that enables the user toselect the risk levels to be displayed (e.g., high, medium and/or low;all ranges are shown currently selected in FIG. 10 ). Any of theaforementioned filtering/customization actions can be appliedconcurrently to update both the list in the treemap. Additionally, theuser can click on the downward-pointing arrow 1003 next to the word“More” to cause opening of a dialog window 1101 containing additionaluser-selectable filtering options, as shown in FIG. 11 . Some of theselectable filtering options may be static; however, at least some ofthe filtering options may be dynamic, based on customer data that thesystem has processed.

In at least some embodiments, the user (e.g., security analyst) can viewadditional details about any entity by double-clicking on that entity'srectangle in the treemap 701 or entry in the entity list 704. Thataction may take the user to a separate screen, such as that shown inFIG. 12 . FIG. 12 shows an example of an entity details display 1200that may be provided, in response to such an action, for a particularentity in the treemap 701. In this example, the entity whose details aredisplayed is a user named Matt Weathers. The left panel 1201 of theentity details display 1200 is an Overview section, which shows thenumber of anomalies detected for that entity during the currentlyselected time period, and provides other information about that entity,such as business unit, location, aliases, etc. The content of theOverview section is dynamic, depending on the entity type (e.g., user,device or application). Clicking the “Create notable” button allows theuser of the GUI to create a notable event corresponding to this entity,on the user's homepage.

The middle section 1202 of the entity details display includes a linegraph 1204 of the entity's risk score versus time, for the currentlyselected time period. The right panel 1206 of the entity details displaycontains a sorted list of events 1208 with associated timestamps. Bydefault, the list of events 1208 may be sorted in descendingchronological order of the events' timestamps, for example. The list ofevents 1208 can be generated by, for example, querying the storage 116(FIG. 5 ) using a REST API, specifying the attributes of the events ofinterest (e.g., time range). The line graph 1204 and the list of events1208 are interactively linked. For example, a user's clicking on a pointin the line graph 1204, such as point 1210 (i.e., a particular riskscore at a particular point in time), causes the event list 1208 to beinteractively updated to show those events most closely associated withthe entity's risk score at that point in time. The currently selecteddata point (event) in the graph is also highlighted in the event list.In at least some embodiments, by default, the point on the graphcorresponding to the largest change in risk score for the selected timeperiod is highlighted on the line graph 1204, and the closestcorresponding event in time is highlighted in the event list 1208. Theevent list 1208 can automatically scroll, if necessary, if the userselects another point on the line graph 1204. In at least someembodiments, the user can zoom into a specific time range by clickingsomewhere on the line graph and moving their mouse left or right, whichdefines a time window range to analyze. When the user zooms in, theevents in the list of events 1208 in the right panel are filtered toonly include the ones in the time range that the user selected. Notethat in some embodiments, a type of graph other than a line graph may beused to represent an entity's risk score over time, or the user may begiven a selection of types of graphs to view.

The screen 1200 in FIG. 12 , also includes a color-coded “donut chart”1212 above the line graph 1204, on the left, illustrating the top (mostcommon) anomalies or anomaly categories associated with that entity forthe selected time period. Another color-coded donut chart 1214 isdisplayed above the line graph 1204, on the right, indicating the topMITRE tactics associated with the anomalies in the selected time period.

FIG. 13 shows another view of the entity details display, in which byclicking on the vertical ellipsis 1301, the user can bring up a control1302 that allows him or her to cause the system to generate a reportbased on the data in the current display, or to select “Change computescore.” Regarding the latter function, the system can maintain two ormore risk scores for every entity, and these two or more risk scores maybe computed based on different time windows. For example, one risk scoremay use only the anomalies observed in the last 24 hours (“1-daywindow”) and another risk score may use the anomalies from the last week(“7-day window”). By selecting “Change compute score,” the user can seea drop-down list 1401 of selectable time windows in which risk scoresfor the various entities have been computed, as shown in FIG. 14 .

The embodiments described above generally involve applying a universalrisk score formula that is common across different entities anduse-cases. In other embodiments that may not be the case, however. Forexample, each entity can have multiple scores, such as “a flight riskscore,” a “data theft risk score,” a “malware infection risk score,”etc. Based on what the security analyst is interested in, they canselect the type of use-case they want, and the visualization will beadjusted to facilitate that use-case. For example, if an analyst isinterested in data theft, they can choose a “Data Theft Risk Logic”option to view a treemap of the riskiest entities for data theft.

6.0. Terminology

Computer programs typically comprise one or more instructions set atvarious times in various memory devices of a computing device, which,when read and executed by at least one processor, will cause a computingdevice to execute functions involving the disclosed techniques. In someembodiments, a carrier containing the aforementioned computer programproduct is provided. The carrier is one of an electronic signal, anoptical signal, a radio signal, or a non-transitory computer-readablestorage medium.

Any or all of the features and functions described above can be combinedwith each other, except to the extent it may be otherwise stated aboveor to the extent that any such embodiments may be incompatible by virtueof their function or structure, as will be apparent to persons ofordinary skill in the art. Unless contrary to physical possibility, itis envisioned that (i) the methods/steps described herein may beperformed in any sequence and/or in any combination, and (ii) thecomponents of respective embodiments may be combined in any manner.

Although the subject matter has been described in language specific tostructural features and/or acts, it is to be understood that the subjectmatter defined in the appended claims is not necessarily limited to thespecific features or acts described above. Rather, the specific featuresand acts described above are disclosed as examples of implementing theclaims, and other equivalent features and acts are intended to be withinthe scope of the claims.

Conditional language, such as, among others, “can,” “could,” “might,” or“may,” unless specifically stated otherwise, or otherwise understoodwithin the context as used, is generally intended to convey that certainembodiments include, while other embodiments do not include, certainfeatures, elements and/or steps. Thus, such conditional language is notgenerally intended to imply that features, elements and/or steps are inany way required for one or more embodiments or that one or moreembodiments necessarily include logic for deciding, with or without userinput or prompting, whether these features, elements and/or steps areincluded or are to be performed in any particular embodiment.Furthermore, use of “e.g.,” is to be interpreted as providing anon-limiting example and does not imply that two things are identical ornecessarily equate to each other.

Unless the context clearly requires otherwise, throughout thedescription and the claims, the words “comprise,” “comprising,” and thelike are to be construed in an inclusive sense, as opposed to anexclusive or exhaustive sense, i.e., in the sense of “including, but notlimited to.” As used herein, the terms “connected,” “coupled,” or anyvariant thereof means any connection or coupling, either direct orindirect, between two or more elements; the coupling or connectionbetween the elements can be physical, logical, or a combination thereof.Additionally, the words “herein,” “above,” “below,” and words of similarimport, when used in this application, refer to this application as awhole and not to any particular portions of this application. Where thecontext permits, words using the singular or plural number may alsoinclude the plural or singular number respectively. The word “or” inreference to a list of two or more items, covers all of the followinginterpretations of the word: any one of the items in the list, all ofthe items in the list, and any combination of the items in the list.Likewise the term “and/or” in reference to a list of two or more items,covers all of the following interpretations of the word: any one of theitems in the list, all of the items in the list, and any combination ofthe items in the list.

Conjunctive language such as the phrase “at least one of X, Y and Z,”unless specifically stated otherwise, is understood with the context asused in general to convey that an item, term, etc. may be either X, Y orZ, or any combination thereof. Thus, such conjunctive language is notgenerally intended to imply that certain embodiments require at leastone of X, at least one of Y and at least one of Z to each be present.Further, use of the phrase “at least one of X, Y or Z” as used ingeneral is to convey that an item, term, etc. may be either X, Y or Z,or any combination thereof.

In some embodiments, certain operations, acts, events, or functions ofany of the algorithms described herein can be performed in a differentsequence, can be added, merged, or left out altogether (e.g., not allare necessary for the practice of the algorithms). In certainembodiments, operations, acts, functions, or events can be performedconcurrently, e.g., through multi-threaded processing, interruptprocessing, or multiple processors or processor cores or on otherparallel architectures, rather than sequentially.

Systems and modules described herein may comprise software, firmware,hardware, or any combination(s) of software, firmware, or hardwaresuitable for the purposes described. Software and other modules mayreside and execute on servers, workstations, personal computers,computerized tablets, PDAs, and other computing devices suitable for thepurposes described herein. Software and other modules may be accessiblevia local computer memory, via a network, via a browser, or via othermeans suitable for the purposes described herein. Data structuresdescribed herein may comprise computer files, variables, programmingarrays, programming structures, or any electronic information storageschemes or methods, or any combinations thereof, suitable for thepurposes described herein. User interface elements described herein maycomprise elements from graphical user interfaces, interactive voiceresponse, command line interfaces, and other suitable interfaces.

Further, processing of the various components of the illustrated systemscan be distributed across multiple machines, networks, and othercomputing resources. Two or more components of a system can be combinedinto fewer components. Various components of the illustrated systems canbe implemented in one or more virtual machines or an isolated executionenvironment, rather than in dedicated computer hardware systems and/orcomputing devices. Likewise, the data repositories shown can representphysical and/or logical data storage, including, e.g., storage areanetworks or other distributed storage systems. Moreover, in someembodiments the connections between the components shown representpossible paths of data flow, rather than actual connections betweenhardware. While some examples of possible connections are shown, any ofthe subset of the components shown can communicate with any other subsetof components in various implementations.

Embodiments are also described above with reference to flow chartillustrations and/or block diagrams of methods, apparatus (systems) andcomputer program products. Each block of the flow chart illustrationsand/or block diagrams, and combinations of blocks in the flow chartillustrations and/or block diagrams, may be implemented by computerprogram instructions. Such instructions may be provided to a processorof a general purpose computer, special purpose computer,specially-equipped computer (e.g., comprising a high-performancedatabase server, a graphics subsystem, etc.) or other programmable dataprocessing apparatus to produce a machine, such that the instructions,which execute via the processor(s) of the computer or other programmabledata processing apparatus, create means for implementing the actsspecified in the flow chart and/or block diagram block or blocks. Thesecomputer program instructions may also be stored in a non-transitorycomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to operate in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meanswhich implement the acts specified in the flow chart and/or blockdiagram block or blocks. The computer program instructions may also beloaded to a computing device or other programmable data processingapparatus to cause operations to be performed on the computing device orother programmable apparatus to produce a computer implemented processsuch that the instructions which execute on the computing device orother programmable apparatus provide steps for implementing the actsspecified in the flow chart and/or block diagram block or blocks.

Any patents and applications and other references noted above, includingany that may be listed in accompanying filing papers, are incorporatedherein by reference. Aspects of the invention can be modified, ifnecessary, to employ the systems, functions, and concepts of the variousreferences described above to provide yet further implementations of theinvention. These and other changes can be made to the invention in lightof the above Detailed Description. While the above description describescertain examples of the invention, and describes the best modecontemplated, no matter how detailed the above appears in text, theinvention can be practiced in many ways. Details of the system may varyconsiderably in its specific implementation, while still beingencompassed by the invention disclosed herein. As noted above,particular terminology used when describing certain features or aspectsof the invention should not be taken to imply that the terminology isbeing redefined herein to be restricted to any specific characteristics,features, or aspects of the invention with which that terminology isassociated. In general, the terms used in the following claims shouldnot be construed to limit the invention to the specific examplesdisclosed in the specification, unless the above Detailed Descriptionsection explicitly defines such terms. Accordingly, the actual scope ofthe invention encompasses not only the disclosed examples, but also allequivalent ways of practicing or implementing the invention under theclaims.

To reduce the number of claims, certain aspects of the invention arepresented below in certain claim forms, but the applicant contemplatesother aspects of the invention in any number of claim forms. Forexample, while only one aspect of the invention is recited as ameans-plus-function claim under 35 U.S.C. sec. 112(f) (AIA), otheraspects may likewise be embodied as a means-plus-function claim, or inother forms, such as being embodied in a computer-readable medium. Anyclaims intended to be treated under 35 U.S.C. § 112(f) will begin withthe words “means for,” but use of the term “for” in any other context isnot intended to invoke treatment under 35 U.S.C. § 112(f). Accordingly,the applicant reserves the right to pursue additional claims afterfiling this application, in either this application or in a continuingapplication.

What is claimed is:
 1. A computer-implemented method comprising:accessing, by a computer system, data representing a plurality ofevents, each event including machine data generated by an entity of aplurality of entities that are part of or that interact with a network;identifying, by the computer system, a plurality of security relatedanomalies in the data; generating, by the computer system, visualizationdata for producing an interactive visualization in which the pluralityof entities are graphically and individually represented according todegrees of risk that the plurality of entities represent to the network,wherein generating the visualization data includes: assigning each ofthe plurality of entities to a separate polygon of a plurality ofpolygons that are to be displayed concurrently on a display screen, andselecting a visual characteristic of each polygon of the plurality ofpolygons, wherein the visual characteristic of each polygon of theplurality of polygons is indicative of a number of security relatedanomalies associated with an entity corresponding to the polygon or arisk level assigned to the entity; and causing, by the computer system,the interactive visualization to be displayed on a display device usingthe visualization data.
 2. The computer-implemented method of claim 1,further comprising, for each entity of the plurality of entities,causing a risk score associated with the entity to be displayed within arespective polygon to which the entity is assigned.
 3. Thecomputer-implemented method of claim 1, further comprising: causing aranked list of the plurality of entities to be displayed on a samedisplay screen as the interactive visualization.
 4. Thecomputer-implemented method of claim 1, further comprising: causing aranked list of the plurality of entities to be displayed on a samedisplay screen as the interactive visualization; receiving user inputselecting an entry in the ranked list, the entry representing aparticular entity of the plurality of entities; and in response to theuser input selecting the entry in the ranked list, causing a visualeffect to be displayed to emphasize a polygon associated with theparticular entity.
 5. The computer-implemented method of claim 1,further comprising: causing a ranked list of the plurality of entitiesto be displayed on a same display screen as the interactivevisualization; receiving user input selecting a displayed polygon, ofthe plurality of polygons, in the interactive visualization, thedisplayed polygon corresponding to a particular entity of the pluralityof entities; and in response to the user input selecting the displayedpolygon, causing a visual effect to be displayed to emphasize an entry,in the ranked list, representing the particular entity.
 6. Thecomputer-implemented method of claim 1, further comprising: receivinguser input selecting a polygon of the plurality of polygons; and inresponse to the user input, causing display of additional informationabout an entity associated with the polygon.
 7. The computer-implementedmethod of claim 1, further comprising: receiving user input selecting apolygon of the plurality of polygons; and in response to the user input,causing display of additional information about an entity associatedwith the polygon; wherein causing display of additional informationabout the entity associated with the polygon comprises generating agraphical plot of risk score for the entity associated with the polygon,versus time, for a selected time range.
 8. The computer-implementedmethod of claim 1, further comprising: receiving user input selecting apolygon of the plurality of polygons; and in response to the user input,causing display of additional information about an entity associatedwith the polygon; wherein causing display of additional informationabout the entity associated with the polygon comprises generating alisting of events associated with the entity that is associated with thepolygon for a selected time range.
 9. The computer-implemented method ofclaim 1, further comprising: receiving user input selecting a polygon ofthe plurality of polygons; and in response to the user input, causingdisplay of additional information about an entity associated with thepolygon; wherein causing display of additional information about theentity associated with the polygon comprises causing display of agraphical plot of risk score for the entity associated with the polygon,versus time, for a selected time range, concurrently with display of alisting of events associated with the entity associated with the polygonand the selected time range.
 10. The computer-implemented method ofclaim 1, further comprising: assigning locations to the plurality ofpolygons on the interactive visualization by spatially grouping theplurality of polygons according to ranges of risk scores of thecorresponding entities.
 11. The computer-implemented method of claim 1,further comprising: receiving user input modifying a set of risk scoreranges to be represented in the interactive visualization; and inresponse to the user input, modifying the visualization data to cause amodification to a display of the interactive visualization.
 12. Thecomputer-implemented method of claim 1, wherein the plurality ofpolygons are of a same shape.
 13. The computer-implemented method ofclaim 1, wherein the plurality of polygons are displayed in aninterlocking manner.
 14. The computer-implemented method of claim 1,wherein the plurality of polygons are displayed in an interlockingmanner and are grouped according to ranges of risk scores ofcorresponding entities.
 15. A computing device comprising: a processor;and a non-transitory computer-readable medium, accessible to theprocessor, having stored thereon instructions, execution of which by theprocessor causes the computing device to perform operations including:accessing data representing a plurality of events, each event includingmachine data generated by an entity of a plurality of entities that arepart of or that interact with a network; identifying a plurality ofsecurity related anomalies in the data; generating visualization datafor producing an interactive visualization in which the plurality ofentities are graphically and individually represented according todegrees of risk that the plurality of entities represent to the network,wherein generating the visualization data includes assigning each of theplurality of entities to a separate polygon of a plurality of polygonsthat are to be displayed concurrently on a display screen, and selectinga visual characteristic of each polygon of the plurality of polygons,wherein the visual characteristic of each polygon of the plurality ofpolygons is indicative of a number of security related anomaliesassociated with an entity corresponding to the polygon or a risk levelassigned to the entity; and causing the interactive visualization to bedisplayed on a display device using the visualization data.
 16. Thecomputing device of claim 15, wherein execution of said instructionsfurther causes the computing device to perform operations including:causing a ranked list of the plurality of entities to be displayed on asame display screen as the interactive visualization; receiving userinput selecting an entry in the ranked list, the entry representing aparticular entity of the plurality of entities; and in response to theuser input selecting the entry in the ranked list, causing a visualeffect to be displayed to emphasize a polygon associated with theparticular entity.
 17. The computing device of claim 15, whereinexecution of said instructions further causes the computing device toperform operations including: causing a ranked list of the plurality ofentities to be displayed on a same display screen as the interactivevisualization; receiving user input selecting a displayed polygon, ofthe plurality of polygons, in the interactive visualization, thedisplayed polygon corresponding to a particular entity of the pluralityof entities; and in response to the user input selecting the displayedpolygon, causing a visual effect to be displayed to emphasize an entry,in the ranked list, representing the particular entity.
 18. Anon-transitory computer-readable medium having stored thereoninstructions, execution of which by one or more processors in a dataintake and query system causes the data intake and query system toperform operations including: accessing data representing a plurality ofevents, each event including machine data generated by an entity of aplurality of entities that are part of or that interact with a network;identifying a plurality of security related anomalies in the data;generating visualization data for producing an interactive visualizationin which the plurality of entities are graphically and individuallyrepresented according to degrees of risk that the plurality of entitiesrepresent to the network, wherein generating the visualization dataincludes assigning each of the plurality of entities to a separatepolygon of a plurality of polygons that are to be displayed concurrentlyon a display screen, and selecting a visual characteristic of eachpolygon of the plurality of polygons, wherein the visual characteristicof each polygon of the plurality of polygons is indicative of a numberof security related anomalies associated with an entity corresponding tothe polygon or a risk level assigned to the entity; and causing theinteractive visualization to be displayed on a display device using thevisualization data.
 19. The non-transitory computer-readable medium ofclaim 18, wherein execution of the instructions further causes the dataintake and query system to perform operations including: causing aranked list of the plurality of entities to be displayed on a samedisplay screen as the interactive visualization; receiving user inputselecting an entry in the ranked list, the entry representing aparticular entity of the plurality of entities; and in response to theuser input selecting the entry in the ranked list, causing a visualeffect to be displayed to emphasize a polygon associated with theparticular entity.
 20. The non-transitory computer-readable medium ofclaim 18, wherein execution of the instructions further causes the dataintake and query system to perform operations including: causing aranked list of the plurality of entities to be displayed on a samedisplay screen as the interactive visualization; receiving user inputselecting a displayed polygon, of the plurality of polygons, in theinteractive visualization, the displayed polygon corresponding to aparticular entity of the plurality of entities; and in response to theuser input selecting the displayed polygon, causing a visual effect tobe displayed to emphasize an entry, in the ranked list, representing theparticular entity.